Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
28-10-2020 10:21
Static task
static1
Behavioral task
behavioral1
Sample
b76e77b52d682f0938d120f3fe011660.exe
Resource
win7
Behavioral task
behavioral2
Sample
b76e77b52d682f0938d120f3fe011660.exe
Resource
win10
General
-
Target
b76e77b52d682f0938d120f3fe011660.exe
-
Size
68KB
-
MD5
b76e77b52d682f0938d120f3fe011660
-
SHA1
c1fdc71284b5a34b170470a6071626f40f4a4f65
-
SHA256
0ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a
-
SHA512
5547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177
Malware Config
Extracted
C:\Users\Admin\Desktop\LhTk7_readme_.txt
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\LhTk7_readme_.txt
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Default\LhTk7_readme_.txt
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon Ransomware 7 IoCs
Processes:
resource yara_rule behavioral1/files/0x00030000000130df-5.dat avaddon_ransomware behavioral1/files/0x00030000000130df-7.dat avaddon_ransomware behavioral1/files/0x00030000000130df-8.dat avaddon_ransomware behavioral1/files/0x00030000000130e8-33.dat avaddon_ransomware behavioral1/files/0x00030000000130e8-35.dat avaddon_ransomware behavioral1/files/0x00030000000130e0-36.dat avaddon_ransomware behavioral1/files/0x00030000000130e0-38.dat avaddon_ransomware -
Phorphiex Payload 3 IoCs
Processes:
resource yara_rule behavioral1/files/0x00050000000130dc-0.dat family_phorphiex behavioral1/files/0x00050000000130dc-2.dat family_phorphiex behavioral1/files/0x00050000000130dc-3.dat family_phorphiex -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
winsvcs.exe1955617763.exe2181510612.exe1955617763.exepid Process 1628 winsvcs.exe 800 1955617763.exe 920 2181510612.exe 1604 1955617763.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1955617763.exedescription ioc Process File opened for modification C:\Users\Admin\Pictures\RemoveStart.tiff 1955617763.exe File renamed C:\Users\Admin\Pictures\InitializeStep.tif => C:\Users\Admin\Pictures\InitializeStep.tif.CBcCCCeADd 1955617763.exe File renamed C:\Users\Admin\Pictures\RemoveStart.tiff => C:\Users\Admin\Pictures\RemoveStart.tiff.CBcCCCeADd 1955617763.exe -
Loads dropped DLL 3 IoCs
Processes:
b76e77b52d682f0938d120f3fe011660.exewinsvcs.exepid Process 1084 b76e77b52d682f0938d120f3fe011660.exe 1628 winsvcs.exe 1628 winsvcs.exe -
Processes:
winsvcs.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winsvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b76e77b52d682f0938d120f3fe011660.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\25942123283630\\winsvcs.exe" b76e77b52d682f0938d120f3fe011660.exe Set value (str) \REGISTRY\USER\S-1-5-21-4210623931-3856158591-1213714290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\25942123283630\\winsvcs.exe" b76e77b52d682f0938d120f3fe011660.exe -
Processes:
1955617763.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1955617763.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
1955617763.exedescription ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-4210623931-3856158591-1213714290-1000\desktop.ini 1955617763.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
1955617763.exedescription ioc Process File opened (read-only) \??\Z: 1955617763.exe File opened (read-only) \??\N: 1955617763.exe File opened (read-only) \??\J: 1955617763.exe File opened (read-only) \??\K: 1955617763.exe File opened (read-only) \??\L: 1955617763.exe File opened (read-only) \??\O: 1955617763.exe File opened (read-only) \??\P: 1955617763.exe File opened (read-only) \??\R: 1955617763.exe File opened (read-only) \??\W: 1955617763.exe File opened (read-only) \??\H: 1955617763.exe File opened (read-only) \??\X: 1955617763.exe File opened (read-only) \??\E: 1955617763.exe File opened (read-only) \??\F: 1955617763.exe File opened (read-only) \??\G: 1955617763.exe File opened (read-only) \??\Q: 1955617763.exe File opened (read-only) \??\S: 1955617763.exe File opened (read-only) \??\Y: 1955617763.exe File opened (read-only) \??\A: 1955617763.exe File opened (read-only) \??\I: 1955617763.exe File opened (read-only) \??\M: 1955617763.exe File opened (read-only) \??\T: 1955617763.exe File opened (read-only) \??\U: 1955617763.exe File opened (read-only) \??\V: 1955617763.exe File opened (read-only) \??\B: 1955617763.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid Process 752 vssadmin.exe 688 vssadmin.exe 1700 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 683 IoCs
Processes:
1955617763.exepid Process 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe 800 1955617763.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
WMIC.exeWMIC.exeWMIC.exevssvc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 884 WMIC.exe Token: SeSecurityPrivilege 884 WMIC.exe Token: SeTakeOwnershipPrivilege 884 WMIC.exe Token: SeLoadDriverPrivilege 884 WMIC.exe Token: SeSystemProfilePrivilege 884 WMIC.exe Token: SeSystemtimePrivilege 884 WMIC.exe Token: SeProfSingleProcessPrivilege 884 WMIC.exe Token: SeIncBasePriorityPrivilege 884 WMIC.exe Token: SeCreatePagefilePrivilege 884 WMIC.exe Token: SeBackupPrivilege 884 WMIC.exe Token: SeRestorePrivilege 884 WMIC.exe Token: SeShutdownPrivilege 884 WMIC.exe Token: SeDebugPrivilege 884 WMIC.exe Token: SeSystemEnvironmentPrivilege 884 WMIC.exe Token: SeRemoteShutdownPrivilege 884 WMIC.exe Token: SeUndockPrivilege 884 WMIC.exe Token: SeManageVolumePrivilege 884 WMIC.exe Token: 33 884 WMIC.exe Token: 34 884 WMIC.exe Token: 35 884 WMIC.exe Token: SeIncreaseQuotaPrivilege 1448 WMIC.exe Token: SeSecurityPrivilege 1448 WMIC.exe Token: SeTakeOwnershipPrivilege 1448 WMIC.exe Token: SeLoadDriverPrivilege 1448 WMIC.exe Token: SeSystemProfilePrivilege 1448 WMIC.exe Token: SeSystemtimePrivilege 1448 WMIC.exe Token: SeProfSingleProcessPrivilege 1448 WMIC.exe Token: SeIncBasePriorityPrivilege 1448 WMIC.exe Token: SeCreatePagefilePrivilege 1448 WMIC.exe Token: SeBackupPrivilege 1448 WMIC.exe Token: SeRestorePrivilege 1448 WMIC.exe Token: SeShutdownPrivilege 1448 WMIC.exe Token: SeDebugPrivilege 1448 WMIC.exe Token: SeSystemEnvironmentPrivilege 1448 WMIC.exe Token: SeRemoteShutdownPrivilege 1448 WMIC.exe Token: SeUndockPrivilege 1448 WMIC.exe Token: SeManageVolumePrivilege 1448 WMIC.exe Token: 33 1448 WMIC.exe Token: 34 1448 WMIC.exe Token: 35 1448 WMIC.exe Token: SeIncreaseQuotaPrivilege 748 WMIC.exe Token: SeSecurityPrivilege 748 WMIC.exe Token: SeTakeOwnershipPrivilege 748 WMIC.exe Token: SeLoadDriverPrivilege 748 WMIC.exe Token: SeSystemProfilePrivilege 748 WMIC.exe Token: SeSystemtimePrivilege 748 WMIC.exe Token: SeProfSingleProcessPrivilege 748 WMIC.exe Token: SeIncBasePriorityPrivilege 748 WMIC.exe Token: SeCreatePagefilePrivilege 748 WMIC.exe Token: SeBackupPrivilege 748 WMIC.exe Token: SeRestorePrivilege 748 WMIC.exe Token: SeShutdownPrivilege 748 WMIC.exe Token: SeDebugPrivilege 748 WMIC.exe Token: SeSystemEnvironmentPrivilege 748 WMIC.exe Token: SeRemoteShutdownPrivilege 748 WMIC.exe Token: SeUndockPrivilege 748 WMIC.exe Token: SeManageVolumePrivilege 748 WMIC.exe Token: 33 748 WMIC.exe Token: 34 748 WMIC.exe Token: 35 748 WMIC.exe Token: SeBackupPrivilege 1428 vssvc.exe Token: SeRestorePrivilege 1428 vssvc.exe Token: SeAuditPrivilege 1428 vssvc.exe -
Suspicious use of WriteProcessMemory 112 IoCs
Processes:
b76e77b52d682f0938d120f3fe011660.exewinsvcs.exe1955617763.execmd.execmd.execmd.exedescription pid Process procid_target PID 1084 wrote to memory of 1628 1084 b76e77b52d682f0938d120f3fe011660.exe 28 PID 1084 wrote to memory of 1628 1084 b76e77b52d682f0938d120f3fe011660.exe 28 PID 1084 wrote to memory of 1628 1084 b76e77b52d682f0938d120f3fe011660.exe 28 PID 1084 wrote to memory of 1628 1084 b76e77b52d682f0938d120f3fe011660.exe 28 PID 1628 wrote to memory of 800 1628 winsvcs.exe 31 PID 1628 wrote to memory of 800 1628 winsvcs.exe 31 PID 1628 wrote to memory of 800 1628 winsvcs.exe 31 PID 1628 wrote to memory of 800 1628 winsvcs.exe 31 PID 800 wrote to memory of 532 800 1955617763.exe 32 PID 800 wrote to memory of 532 800 1955617763.exe 32 PID 800 wrote to memory of 532 800 1955617763.exe 32 PID 800 wrote to memory of 532 800 1955617763.exe 32 PID 800 wrote to memory of 920 800 1955617763.exe 34 PID 800 wrote to memory of 920 800 1955617763.exe 34 PID 800 wrote to memory of 920 800 1955617763.exe 34 PID 800 wrote to memory of 920 800 1955617763.exe 34 PID 800 wrote to memory of 972 800 1955617763.exe 36 PID 800 wrote to memory of 972 800 1955617763.exe 36 PID 800 wrote to memory of 972 800 1955617763.exe 36 PID 800 wrote to memory of 972 800 1955617763.exe 36 PID 800 wrote to memory of 1652 800 1955617763.exe 38 PID 800 wrote to memory of 1652 800 1955617763.exe 38 PID 800 wrote to memory of 1652 800 1955617763.exe 38 PID 800 wrote to memory of 1652 800 1955617763.exe 38 PID 532 wrote to memory of 884 532 cmd.exe 39 PID 532 wrote to memory of 884 532 cmd.exe 39 PID 532 wrote to memory of 884 532 cmd.exe 39 PID 532 wrote to memory of 884 532 cmd.exe 39 PID 800 wrote to memory of 288 800 1955617763.exe 41 PID 800 wrote to memory of 288 800 1955617763.exe 41 PID 800 wrote to memory of 288 800 1955617763.exe 41 PID 800 wrote to memory of 288 800 1955617763.exe 41 PID 800 wrote to memory of 1572 800 1955617763.exe 43 PID 800 wrote to memory of 1572 800 1955617763.exe 43 PID 800 wrote to memory of 1572 800 1955617763.exe 43 PID 800 wrote to memory of 1572 800 1955617763.exe 43 PID 800 wrote to memory of 1696 800 1955617763.exe 45 PID 800 wrote to memory of 1696 800 1955617763.exe 45 PID 800 wrote to memory of 1696 800 1955617763.exe 45 PID 800 wrote to memory of 1696 800 1955617763.exe 45 PID 800 wrote to memory of 1888 800 1955617763.exe 47 PID 800 wrote to memory of 1888 800 1955617763.exe 47 PID 800 wrote to memory of 1888 800 1955617763.exe 47 PID 800 wrote to memory of 1888 800 1955617763.exe 47 PID 1696 wrote to memory of 1448 1696 cmd.exe 49 PID 1696 wrote to memory of 1448 1696 cmd.exe 49 PID 1696 wrote to memory of 1448 1696 cmd.exe 49 PID 1696 wrote to memory of 1448 1696 cmd.exe 49 PID 800 wrote to memory of 1636 800 1955617763.exe 50 PID 800 wrote to memory of 1636 800 1955617763.exe 50 PID 800 wrote to memory of 1636 800 1955617763.exe 50 PID 800 wrote to memory of 1636 800 1955617763.exe 50 PID 1572 wrote to memory of 752 1572 cmd.exe 51 PID 1572 wrote to memory of 752 1572 cmd.exe 51 PID 1572 wrote to memory of 752 1572 cmd.exe 51 PID 1572 wrote to memory of 752 1572 cmd.exe 51 PID 800 wrote to memory of 1344 800 1955617763.exe 53 PID 800 wrote to memory of 1344 800 1955617763.exe 53 PID 800 wrote to memory of 1344 800 1955617763.exe 53 PID 800 wrote to memory of 1344 800 1955617763.exe 53 PID 800 wrote to memory of 2044 800 1955617763.exe 54 PID 800 wrote to memory of 2044 800 1955617763.exe 54 PID 800 wrote to memory of 2044 800 1955617763.exe 54 PID 800 wrote to memory of 2044 800 1955617763.exe 54 PID 800 wrote to memory of 1664 800 1955617763.exe 57 PID 800 wrote to memory of 1664 800 1955617763.exe 57 PID 800 wrote to memory of 1664 800 1955617763.exe 57 PID 800 wrote to memory of 1664 800 1955617763.exe 57 PID 800 wrote to memory of 1496 800 1955617763.exe 58 PID 800 wrote to memory of 1496 800 1955617763.exe 58 PID 800 wrote to memory of 1496 800 1955617763.exe 58 PID 800 wrote to memory of 1496 800 1955617763.exe 58 PID 800 wrote to memory of 1476 800 1955617763.exe 61 PID 800 wrote to memory of 1476 800 1955617763.exe 61 PID 800 wrote to memory of 1476 800 1955617763.exe 61 PID 800 wrote to memory of 1476 800 1955617763.exe 61 PID 800 wrote to memory of 1544 800 1955617763.exe 64 PID 800 wrote to memory of 1544 800 1955617763.exe 64 PID 800 wrote to memory of 1544 800 1955617763.exe 64 PID 800 wrote to memory of 1544 800 1955617763.exe 64 PID 1664 wrote to memory of 688 1664 cmd.exe 65 PID 1664 wrote to memory of 688 1664 cmd.exe 65 PID 1664 wrote to memory of 688 1664 cmd.exe 65 PID 1664 wrote to memory of 688 1664 cmd.exe 65 PID 1496 wrote to memory of 748 1496 cmd.exe 66 PID 1496 wrote to memory of 748 1496 cmd.exe 66 PID 1496 wrote to memory of 748 1496 cmd.exe 66 PID 1496 wrote to memory of 748 1496 cmd.exe 66 PID 800 wrote to memory of 560 800 1955617763.exe 67 PID 800 wrote to memory of 560 800 1955617763.exe 67 PID 800 wrote to memory of 560 800 1955617763.exe 67 PID 800 wrote to memory of 560 800 1955617763.exe 67 PID 800 wrote to memory of 660 800 1955617763.exe 70 PID 800 wrote to memory of 660 800 1955617763.exe 70 PID 800 wrote to memory of 660 800 1955617763.exe 70 PID 800 wrote to memory of 660 800 1955617763.exe 70 PID 800 wrote to memory of 1344 800 1955617763.exe 72 PID 800 wrote to memory of 1344 800 1955617763.exe 72 PID 800 wrote to memory of 1344 800 1955617763.exe 72 PID 800 wrote to memory of 1344 800 1955617763.exe 72 PID 1344 wrote to memory of 1700 1344 cmd.exe 74 PID 1344 wrote to memory of 1700 1344 cmd.exe 74 PID 1344 wrote to memory of 1700 1344 cmd.exe 74 PID 1344 wrote to memory of 1700 1344 cmd.exe 74 PID 1628 wrote to memory of 920 1628 winsvcs.exe 76 PID 1628 wrote to memory of 920 1628 winsvcs.exe 76 PID 1628 wrote to memory of 920 1628 winsvcs.exe 76 PID 1628 wrote to memory of 920 1628 winsvcs.exe 76 PID 1188 wrote to memory of 1604 1188 taskeng.exe 78 PID 1188 wrote to memory of 1604 1188 taskeng.exe 78 PID 1188 wrote to memory of 1604 1188 taskeng.exe 78 PID 1188 wrote to memory of 1604 1188 taskeng.exe 78 -
System policy modification 1 TTPs 3 IoCs
Processes:
1955617763.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1955617763.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1955617763.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 1955617763.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b76e77b52d682f0938d120f3fe011660.exe"C:\Users\Admin\AppData\Local\Temp\b76e77b52d682f0938d120f3fe011660.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\25942123283630\winsvcs.exeC:\25942123283630\winsvcs.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\1955617763.exeC:\Users\Admin\AppData\Local\Temp\1955617763.exe3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:800 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive4⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:920
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵PID:972
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No4⤵PID:1652
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:288
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet4⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:752
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive4⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:1888
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵PID:1636
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No4⤵PID:1344
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:2044
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:1664
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:688
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:1496
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:748
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:1476
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵PID:1544
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No4⤵PID:560
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:660
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:1344
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:1700
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2181510612.exeC:\Users\Admin\AppData\Local\Temp\2181510612.exe3⤵
- Executes dropped EXE
PID:920
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
C:\Windows\system32\taskeng.exetaskeng.exe {98EEE717-8586-4086-AB62-F975607CAA44} S-1-5-21-4210623931-3856158591-1213714290-1000:VDIPBIOF\Admin:Interactive:[1]1⤵PID:1188
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\1955617763.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\1955617763.exe2⤵
- Executes dropped EXE
PID:1604
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b76e77b52d682f0938d120f3fe011660
SHA1c1fdc71284b5a34b170470a6071626f40f4a4f65
SHA2560ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a
SHA5125547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177
-
MD5
b76e77b52d682f0938d120f3fe011660
SHA1c1fdc71284b5a34b170470a6071626f40f4a4f65
SHA2560ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a
SHA5125547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177
-
MD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
MD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
MD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
MD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
MD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
MD5
b76e77b52d682f0938d120f3fe011660
SHA1c1fdc71284b5a34b170470a6071626f40f4a4f65
SHA2560ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a
SHA5125547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177
-
MD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
MD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2