Analysis Overview
SHA256
e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead
Threat Level: Known bad
The file SecuriteInfo.com.Trojan.Siggen10.41067.16574.2807 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Avaddon
Avaddon Ransomware
UAC bypass
Deletes shadow copies
Executes dropped EXE
Modifies extensions of user files
Windows security modification
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Modifies service
System policy modification
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-10-25 22:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-10-25 22:56
Reported
2020-10-25 23:52
Platform
win7
Max time kernel
151s
Max time network
144s
Command Line
Signatures
Avaddon
Avaddon Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
Windows security bypass
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\9496160215703\winsvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3607829734.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2646730201.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3596031094.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3607829734.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\EnableClear.png => C:\Users\Admin\Pictures\EnableClear.png.aDcAEABcDE | C:\Users\Admin\AppData\Local\Temp\3607829734.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InvokePublish.crw => C:\Users\Admin\Pictures\InvokePublish.crw.aDcAEABcDE | C:\Users\Admin\AppData\Local\Temp\3607829734.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WriteSend.png => C:\Users\Admin\Pictures\WriteSend.png.aDcAEABcDE | C:\Users\Admin\AppData\Local\Temp\3607829734.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\TestSuspend.crw => C:\Users\Admin\Pictures\TestSuspend.crw.aDcAEABcDE | C:\Users\Admin\AppData\Local\Temp\3607829734.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.16574.2807.exe | N/A |
| N/A | N/A | C:\9496160215703\winsvcs.exe | N/A |
| N/A | N/A | C:\9496160215703\winsvcs.exe | N/A |
| N/A | N/A | C:\9496160215703\winsvcs.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\9496160215703\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\9496160215703\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\9496160215703\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\9496160215703\winsvcs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\9496160215703\\winsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.16574.2807.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\9496160215703\\winsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.16574.2807.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\3607829734.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-4210623931-3856158591-1213714290-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\3607829734.exe | N/A |
Enumerates connected drives
Modifies service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer | C:\Windows\system32\vssvc.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\3607829734.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\3607829734.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\3607829734.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.16574.2807.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.16574.2807.exe"
C:\9496160215703\winsvcs.exe
C:\9496160215703\winsvcs.exe
C:\Users\Admin\AppData\Local\Temp\3607829734.exe
C:\Users\Admin\AppData\Local\Temp\3607829734.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Users\Admin\AppData\Local\Temp\2646730201.exe
C:\Users\Admin\AppData\Local\Temp\2646730201.exe
C:\Users\Admin\AppData\Local\Temp\3596031094.exe
C:\Users\Admin\AppData\Local\Temp\3596031094.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {64A704A1-472C-40D6-85E9-91FE9289D11C} S-1-5-21-4210623931-3856158591-1213714290-1000:VDIPBIOF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3607829734.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3607829734.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | worm.ws | udp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 8.8.8.8:53 | geueudusl.ws | udp |
| N/A | 64.70.19.203:80 | geueudusl.ws | tcp |
| N/A | 64.70.19.203:80 | geueudusl.ws | tcp |
| N/A | 64.70.19.203:80 | geueudusl.ws | tcp |
Files
\9496160215703\winsvcs.exe
| MD5 | 5790ee7642277ac3ab4df17ba016754d |
| SHA1 | f1d92a433e7fe4e17c349ebabad629e4fb814af3 |
| SHA256 | e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead |
| SHA512 | e652a3b02827ee7afb794f596d756ff0845c7e67cbef674991a5f3d9ea4bd672bf0d0d12a00df3c6b894eebb3421e1ea8f69c497af2d416bfed8ef0ccd8cb385 |
memory/1648-1-0x0000000000000000-mapping.dmp
C:\9496160215703\winsvcs.exe
| MD5 | 5790ee7642277ac3ab4df17ba016754d |
| SHA1 | f1d92a433e7fe4e17c349ebabad629e4fb814af3 |
| SHA256 | e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead |
| SHA512 | e652a3b02827ee7afb794f596d756ff0845c7e67cbef674991a5f3d9ea4bd672bf0d0d12a00df3c6b894eebb3421e1ea8f69c497af2d416bfed8ef0ccd8cb385 |
C:\9496160215703\winsvcs.exe
| MD5 | 5790ee7642277ac3ab4df17ba016754d |
| SHA1 | f1d92a433e7fe4e17c349ebabad629e4fb814af3 |
| SHA256 | e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead |
| SHA512 | e652a3b02827ee7afb794f596d756ff0845c7e67cbef674991a5f3d9ea4bd672bf0d0d12a00df3c6b894eebb3421e1ea8f69c497af2d416bfed8ef0ccd8cb385 |
memory/1660-4-0x000007FEF6AE0000-0x000007FEF6D5A000-memory.dmp
\Users\Admin\AppData\Local\Temp\3607829734.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
memory/1256-6-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3607829734.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
C:\Users\Admin\AppData\Local\Temp\3607829734.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
memory/1832-9-0x0000000000000000-mapping.dmp
memory/1892-10-0x0000000000000000-mapping.dmp
memory/680-11-0x0000000000000000-mapping.dmp
memory/1436-12-0x0000000000000000-mapping.dmp
memory/860-13-0x0000000000000000-mapping.dmp
memory/528-14-0x0000000000000000-mapping.dmp
memory/832-15-0x0000000000000000-mapping.dmp
memory/720-16-0x0000000000000000-mapping.dmp
memory/1412-17-0x0000000000000000-mapping.dmp
memory/1996-19-0x0000000000000000-mapping.dmp
memory/1112-18-0x0000000000000000-mapping.dmp
memory/2004-20-0x0000000000000000-mapping.dmp
memory/1028-21-0x0000000000000000-mapping.dmp
memory/1140-22-0x0000000000000000-mapping.dmp
memory/548-23-0x0000000000000000-mapping.dmp
memory/1364-24-0x0000000000000000-mapping.dmp
memory/528-25-0x0000000000000000-mapping.dmp
memory/1884-27-0x0000000000000000-mapping.dmp
memory/1416-26-0x0000000000000000-mapping.dmp
memory/1116-28-0x0000000000000000-mapping.dmp
memory/900-29-0x0000000000000000-mapping.dmp
memory/1360-30-0x0000000000000000-mapping.dmp
memory/960-31-0x0000000000000000-mapping.dmp
memory/1932-32-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\2646730201.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
memory/620-34-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2646730201.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
\Users\Admin\AppData\Local\Temp\3596031094.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
memory/940-37-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3596031094.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3607829734.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
memory/1700-40-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3607829734.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
Analysis: behavioral2
Detonation Overview
Submitted
2020-10-25 22:56
Reported
2020-10-25 23:52
Platform
win10
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Avaddon
Avaddon Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
Windows security bypass
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\254082425130016\winsvcs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1265819777.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2466516868.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\EnterSearch.tiff => C:\Users\Admin\Pictures\EnterSearch.tiff.CabCBAdeEA | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ReadShow.tif => C:\Users\Admin\Pictures\ReadShow.tif.CabCBAdeEA | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveDisconnect.png => C:\Users\Admin\Pictures\MoveDisconnect.png.CabCBAdeEA | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResumeCopy.png => C:\Users\Admin\Pictures\ResumeCopy.png.CabCBAdeEA | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\StopWait.tiff | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\StopWait.tiff => C:\Users\Admin\Pictures\StopWait.tiff.CabCBAdeEA | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\WaitRedo.tiff | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\EnterSearch.tiff | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConfirmClose.png => C:\Users\Admin\Pictures\ConfirmClose.png.CabCBAdeEA | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConvertRegister.png => C:\Users\Admin\Pictures\ConvertRegister.png.CabCBAdeEA | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WaitRedo.tiff => C:\Users\Admin\Pictures\WaitRedo.tiff.CabCBAdeEA | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UndoProtect.raw => C:\Users\Admin\Pictures\UndoProtect.raw.CabCBAdeEA | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\254082425130016\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\254082425130016\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\254082425130016\winsvcs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\254082425130016\winsvcs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\254082425130016\\winsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.16574.2807.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\254082425130016\\winsvcs.exe" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.16574.2807.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-2627584638-3284755310-3019450177-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
Enumerates connected drives
Modifies service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer | C:\Windows\system32\vssvc.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\2524810065.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.16574.2807.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen10.41067.16574.2807.exe"
C:\254082425130016\winsvcs.exe
C:\254082425130016\winsvcs.exe
C:\Users\Admin\AppData\Local\Temp\2524810065.exe
C:\Users\Admin\AppData\Local\Temp\2524810065.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Users\Admin\AppData\Local\Temp\1265819777.exe
C:\Users\Admin\AppData\Local\Temp\1265819777.exe
C:\Users\Admin\AppData\Local\Temp\2466516868.exe
C:\Users\Admin\AppData\Local\Temp\2466516868.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 52.109.88.35:443 | tcp | |
| N/A | 8.8.8.8:53 | worm.ws | udp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 10.10.0.1:445 | tcp | |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 10.10.0.1:139 | tcp | |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 8.8.8.8:53 | geueudusl.ws | udp |
| N/A | 64.70.19.203:80 | geueudusl.ws | tcp |
| N/A | 64.70.19.203:80 | geueudusl.ws | tcp |
| N/A | 64.70.19.203:80 | geueudusl.ws | tcp |
| N/A | 10.10.0.10:445 | tcp | |
| N/A | 10.10.0.11:445 | tcp | |
| N/A | 10.10.0.12:445 | tcp | |
| N/A | 10.10.0.13:445 | tcp | |
| N/A | 10.10.0.15:445 | tcp | |
| N/A | 10.10.0.17:445 | tcp | |
| N/A | 10.10.0.20:445 | tcp | |
| N/A | 10.10.0.23:445 | tcp | |
| N/A | 10.10.0.24:445 | tcp | |
| N/A | 10.10.0.26:445 | tcp | |
| N/A | 10.10.0.28:445 | tcp | |
| N/A | 10.10.0.29:445 | tcp | |
| N/A | 10.10.0.32:445 | tcp | |
| N/A | 10.10.0.36:445 | tcp |
Files
memory/2548-0-0x0000000000000000-mapping.dmp
C:\254082425130016\winsvcs.exe
| MD5 | 5790ee7642277ac3ab4df17ba016754d |
| SHA1 | f1d92a433e7fe4e17c349ebabad629e4fb814af3 |
| SHA256 | e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead |
| SHA512 | e652a3b02827ee7afb794f596d756ff0845c7e67cbef674991a5f3d9ea4bd672bf0d0d12a00df3c6b894eebb3421e1ea8f69c497af2d416bfed8ef0ccd8cb385 |
C:\254082425130016\winsvcs.exe
| MD5 | 5790ee7642277ac3ab4df17ba016754d |
| SHA1 | f1d92a433e7fe4e17c349ebabad629e4fb814af3 |
| SHA256 | e53b7f74cba1228b9f406c04e0ec580f4597d6de93cb5cdbf51564fee4111ead |
| SHA512 | e652a3b02827ee7afb794f596d756ff0845c7e67cbef674991a5f3d9ea4bd672bf0d0d12a00df3c6b894eebb3421e1ea8f69c497af2d416bfed8ef0ccd8cb385 |
C:\Users\Admin\AppData\Local\Temp\2524810065.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
memory/1420-3-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2524810065.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
memory/1560-6-0x0000000000000000-mapping.dmp
memory/3336-7-0x0000000000000000-mapping.dmp
memory/384-8-0x0000000000000000-mapping.dmp
memory/3964-9-0x0000000000000000-mapping.dmp
memory/2112-11-0x0000000000000000-mapping.dmp
memory/4008-10-0x0000000000000000-mapping.dmp
memory/1784-12-0x0000000000000000-mapping.dmp
memory/2036-13-0x0000000000000000-mapping.dmp
memory/1656-14-0x0000000000000000-mapping.dmp
memory/804-15-0x0000000000000000-mapping.dmp
memory/3820-16-0x0000000000000000-mapping.dmp
memory/3736-17-0x0000000000000000-mapping.dmp
memory/3656-18-0x0000000000000000-mapping.dmp
memory/2304-19-0x0000000000000000-mapping.dmp
memory/1712-20-0x0000000000000000-mapping.dmp
memory/2676-21-0x0000000000000000-mapping.dmp
memory/4128-22-0x0000000000000000-mapping.dmp
memory/4176-23-0x0000000000000000-mapping.dmp
memory/4232-24-0x0000000000000000-mapping.dmp
memory/4340-25-0x0000000000000000-mapping.dmp
memory/4352-26-0x0000000000000000-mapping.dmp
memory/4404-27-0x0000000000000000-mapping.dmp
memory/4476-28-0x0000000000000000-mapping.dmp
memory/4524-29-0x0000000000000000-mapping.dmp
memory/4580-30-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1265819777.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
C:\Users\Admin\AppData\Local\Temp\1265819777.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
memory/4640-33-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2466516868.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
C:\Users\Admin\AppData\Local\Temp\2466516868.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |