Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
28-10-2020 10:21
Static task
static1
Behavioral task
behavioral1
Sample
b76e77b52d682f0938d120f3fe011660.exe
Resource
win7
Behavioral task
behavioral2
Sample
b76e77b52d682f0938d120f3fe011660.exe
Resource
win10
General
-
Target
b76e77b52d682f0938d120f3fe011660.exe
-
Size
68KB
-
MD5
b76e77b52d682f0938d120f3fe011660
-
SHA1
c1fdc71284b5a34b170470a6071626f40f4a4f65
-
SHA256
0ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a
-
SHA512
5547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177
Malware Config
Extracted
C:\odt\8xHXy_readme_.txt
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\8xHXy_readme_.txt
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Searches\8xHXy_readme_.txt
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon Ransomware 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\2560128089.exe avaddon_ransomware C:\Users\Admin\AppData\Local\Temp\2560128089.exe avaddon_ransomware C:\Users\Admin\AppData\Local\Temp\2271737858.exe avaddon_ransomware C:\Users\Admin\AppData\Local\Temp\2271737858.exe avaddon_ransomware -
Phorphiex Payload 2 IoCs
Processes:
resource yara_rule C:\132732751115422\winsvcs.exe family_phorphiex C:\132732751115422\winsvcs.exe family_phorphiex -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 3 IoCs
Processes:
winsvcs.exe2560128089.exe2271737858.exepid process 3632 winsvcs.exe 200 2560128089.exe 4700 2271737858.exe -
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
2560128089.exedescription ioc process File renamed C:\Users\Admin\Pictures\StepRemove.tiff => C:\Users\Admin\Pictures\StepRemove.tiff.baDcdcdEdc 2560128089.exe File renamed C:\Users\Admin\Pictures\SkipEnable.raw => C:\Users\Admin\Pictures\SkipEnable.raw.baDcdcdEdc 2560128089.exe File opened for modification C:\Users\Admin\Pictures\UnprotectRename.tiff 2560128089.exe File renamed C:\Users\Admin\Pictures\PingCheckpoint.raw => C:\Users\Admin\Pictures\PingCheckpoint.raw.baDcdcdEdc 2560128089.exe File opened for modification C:\Users\Admin\Pictures\ResizeUnregister.tiff 2560128089.exe File renamed C:\Users\Admin\Pictures\MountPublish.png => C:\Users\Admin\Pictures\MountPublish.png.baDcdcdEdc 2560128089.exe File opened for modification C:\Users\Admin\Pictures\StepRemove.tiff 2560128089.exe File renamed C:\Users\Admin\Pictures\ResizeUnregister.tiff => C:\Users\Admin\Pictures\ResizeUnregister.tiff.baDcdcdEdc 2560128089.exe File renamed C:\Users\Admin\Pictures\CompressRequest.crw => C:\Users\Admin\Pictures\CompressRequest.crw.baDcdcdEdc 2560128089.exe File renamed C:\Users\Admin\Pictures\SelectStep.tif => C:\Users\Admin\Pictures\SelectStep.tif.baDcdcdEdc 2560128089.exe File renamed C:\Users\Admin\Pictures\UnprotectRename.tiff => C:\Users\Admin\Pictures\UnprotectRename.tiff.baDcdcdEdc 2560128089.exe File renamed C:\Users\Admin\Pictures\UseResize.tif => C:\Users\Admin\Pictures\UseResize.tif.baDcdcdEdc 2560128089.exe -
Processes:
winsvcs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winsvcs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winsvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b76e77b52d682f0938d120f3fe011660.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\132732751115422\\winsvcs.exe" b76e77b52d682f0938d120f3fe011660.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services = "C:\\132732751115422\\winsvcs.exe" b76e77b52d682f0938d120f3fe011660.exe -
Processes:
2560128089.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2560128089.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
2560128089.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2627584638-3284755310-3019450177-1000\desktop.ini 2560128089.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2560128089.exedescription ioc process File opened (read-only) \??\I: 2560128089.exe File opened (read-only) \??\L: 2560128089.exe File opened (read-only) \??\O: 2560128089.exe File opened (read-only) \??\Q: 2560128089.exe File opened (read-only) \??\S: 2560128089.exe File opened (read-only) \??\U: 2560128089.exe File opened (read-only) \??\Z: 2560128089.exe File opened (read-only) \??\E: 2560128089.exe File opened (read-only) \??\B: 2560128089.exe File opened (read-only) \??\F: 2560128089.exe File opened (read-only) \??\G: 2560128089.exe File opened (read-only) \??\K: 2560128089.exe File opened (read-only) \??\X: 2560128089.exe File opened (read-only) \??\A: 2560128089.exe File opened (read-only) \??\V: 2560128089.exe File opened (read-only) \??\Y: 2560128089.exe File opened (read-only) \??\T: 2560128089.exe File opened (read-only) \??\J: 2560128089.exe File opened (read-only) \??\M: 2560128089.exe File opened (read-only) \??\N: 2560128089.exe File opened (read-only) \??\P: 2560128089.exe File opened (read-only) \??\R: 2560128089.exe File opened (read-only) \??\W: 2560128089.exe File opened (read-only) \??\H: 2560128089.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 4500 vssadmin.exe 4552 vssadmin.exe 4628 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 630 IoCs
Processes:
2560128089.exepid process 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe 200 2560128089.exe -
Suspicious use of AdjustPrivilegeToken 66 IoCs
Processes:
WMIC.exeWMIC.exevssvc.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1960 WMIC.exe Token: SeSecurityPrivilege 1960 WMIC.exe Token: SeTakeOwnershipPrivilege 1960 WMIC.exe Token: SeLoadDriverPrivilege 1960 WMIC.exe Token: SeSystemProfilePrivilege 1960 WMIC.exe Token: SeSystemtimePrivilege 1960 WMIC.exe Token: SeProfSingleProcessPrivilege 1960 WMIC.exe Token: SeIncBasePriorityPrivilege 1960 WMIC.exe Token: SeCreatePagefilePrivilege 1960 WMIC.exe Token: SeBackupPrivilege 1960 WMIC.exe Token: SeRestorePrivilege 1960 WMIC.exe Token: SeShutdownPrivilege 1960 WMIC.exe Token: SeDebugPrivilege 1960 WMIC.exe Token: SeSystemEnvironmentPrivilege 1960 WMIC.exe Token: SeRemoteShutdownPrivilege 1960 WMIC.exe Token: SeUndockPrivilege 1960 WMIC.exe Token: SeManageVolumePrivilege 1960 WMIC.exe Token: 33 1960 WMIC.exe Token: 34 1960 WMIC.exe Token: 35 1960 WMIC.exe Token: 36 1960 WMIC.exe Token: SeIncreaseQuotaPrivilege 4368 WMIC.exe Token: SeSecurityPrivilege 4368 WMIC.exe Token: SeTakeOwnershipPrivilege 4368 WMIC.exe Token: SeLoadDriverPrivilege 4368 WMIC.exe Token: SeSystemProfilePrivilege 4368 WMIC.exe Token: SeSystemtimePrivilege 4368 WMIC.exe Token: SeProfSingleProcessPrivilege 4368 WMIC.exe Token: SeIncBasePriorityPrivilege 4368 WMIC.exe Token: SeCreatePagefilePrivilege 4368 WMIC.exe Token: SeBackupPrivilege 4368 WMIC.exe Token: SeRestorePrivilege 4368 WMIC.exe Token: SeShutdownPrivilege 4368 WMIC.exe Token: SeDebugPrivilege 4368 WMIC.exe Token: SeSystemEnvironmentPrivilege 4368 WMIC.exe Token: SeRemoteShutdownPrivilege 4368 WMIC.exe Token: SeUndockPrivilege 4368 WMIC.exe Token: SeManageVolumePrivilege 4368 WMIC.exe Token: 33 4368 WMIC.exe Token: 34 4368 WMIC.exe Token: 35 4368 WMIC.exe Token: 36 4368 WMIC.exe Token: SeBackupPrivilege 4576 vssvc.exe Token: SeRestorePrivilege 4576 vssvc.exe Token: SeAuditPrivilege 4576 vssvc.exe Token: SeIncreaseQuotaPrivilege 4544 WMIC.exe Token: SeSecurityPrivilege 4544 WMIC.exe Token: SeTakeOwnershipPrivilege 4544 WMIC.exe Token: SeLoadDriverPrivilege 4544 WMIC.exe Token: SeSystemProfilePrivilege 4544 WMIC.exe Token: SeSystemtimePrivilege 4544 WMIC.exe Token: SeProfSingleProcessPrivilege 4544 WMIC.exe Token: SeIncBasePriorityPrivilege 4544 WMIC.exe Token: SeCreatePagefilePrivilege 4544 WMIC.exe Token: SeBackupPrivilege 4544 WMIC.exe Token: SeRestorePrivilege 4544 WMIC.exe Token: SeShutdownPrivilege 4544 WMIC.exe Token: SeDebugPrivilege 4544 WMIC.exe Token: SeSystemEnvironmentPrivilege 4544 WMIC.exe Token: SeRemoteShutdownPrivilege 4544 WMIC.exe Token: SeUndockPrivilege 4544 WMIC.exe Token: SeManageVolumePrivilege 4544 WMIC.exe Token: 33 4544 WMIC.exe Token: 34 4544 WMIC.exe -
Suspicious use of WriteProcessMemory 81 IoCs
Processes:
b76e77b52d682f0938d120f3fe011660.exewinsvcs.exe2560128089.execmd.execmd.exedescription pid process target process PID 3524 wrote to memory of 3632 3524 b76e77b52d682f0938d120f3fe011660.exe winsvcs.exe PID 3524 wrote to memory of 3632 3524 b76e77b52d682f0938d120f3fe011660.exe winsvcs.exe PID 3524 wrote to memory of 3632 3524 b76e77b52d682f0938d120f3fe011660.exe winsvcs.exe PID 3632 wrote to memory of 200 3632 winsvcs.exe 2560128089.exe PID 3632 wrote to memory of 200 3632 winsvcs.exe 2560128089.exe PID 3632 wrote to memory of 200 3632 winsvcs.exe 2560128089.exe PID 200 wrote to memory of 8 200 2560128089.exe cmd.exe PID 200 wrote to memory of 8 200 2560128089.exe cmd.exe PID 200 wrote to memory of 8 200 2560128089.exe cmd.exe PID 200 wrote to memory of 2080 200 2560128089.exe cmd.exe PID 200 wrote to memory of 2080 200 2560128089.exe cmd.exe PID 200 wrote to memory of 2080 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3304 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3304 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3304 200 2560128089.exe cmd.exe PID 200 wrote to memory of 1904 200 2560128089.exe cmd.exe PID 200 wrote to memory of 1904 200 2560128089.exe cmd.exe PID 200 wrote to memory of 1904 200 2560128089.exe cmd.exe PID 200 wrote to memory of 2792 200 2560128089.exe cmd.exe PID 200 wrote to memory of 2792 200 2560128089.exe cmd.exe PID 200 wrote to memory of 2792 200 2560128089.exe cmd.exe PID 8 wrote to memory of 1960 8 cmd.exe WMIC.exe PID 8 wrote to memory of 1960 8 cmd.exe WMIC.exe PID 8 wrote to memory of 1960 8 cmd.exe WMIC.exe PID 200 wrote to memory of 1864 200 2560128089.exe cmd.exe PID 200 wrote to memory of 1864 200 2560128089.exe cmd.exe PID 200 wrote to memory of 1864 200 2560128089.exe cmd.exe PID 200 wrote to memory of 496 200 2560128089.exe cmd.exe PID 200 wrote to memory of 496 200 2560128089.exe cmd.exe PID 200 wrote to memory of 496 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3068 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3068 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3068 200 2560128089.exe cmd.exe PID 200 wrote to memory of 208 200 2560128089.exe cmd.exe PID 200 wrote to memory of 208 200 2560128089.exe cmd.exe PID 200 wrote to memory of 208 200 2560128089.exe cmd.exe PID 200 wrote to memory of 2544 200 2560128089.exe cmd.exe PID 200 wrote to memory of 2544 200 2560128089.exe cmd.exe PID 200 wrote to memory of 2544 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3880 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3880 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3880 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3948 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3948 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3948 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3460 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3460 200 2560128089.exe cmd.exe PID 200 wrote to memory of 3460 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4144 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4144 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4144 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4192 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4192 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4192 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4244 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4244 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4244 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4292 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4292 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4292 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4352 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4352 200 2560128089.exe cmd.exe PID 200 wrote to memory of 4352 200 2560128089.exe cmd.exe PID 496 wrote to memory of 4368 496 cmd.exe WMIC.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
2560128089.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2560128089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 2560128089.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2560128089.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b76e77b52d682f0938d120f3fe011660.exe"C:\Users\Admin\AppData\Local\Temp\b76e77b52d682f0938d120f3fe011660.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\132732751115422\winsvcs.exeC:\132732751115422\winsvcs.exe2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2560128089.exeC:\Users\Admin\AppData\Local\Temp\2560128089.exe3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\2271737858.exeC:\Users\Admin\AppData\Local\Temp\2271737858.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\132732751115422\winsvcs.exeMD5
b76e77b52d682f0938d120f3fe011660
SHA1c1fdc71284b5a34b170470a6071626f40f4a4f65
SHA2560ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a
SHA5125547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177
-
C:\132732751115422\winsvcs.exeMD5
b76e77b52d682f0938d120f3fe011660
SHA1c1fdc71284b5a34b170470a6071626f40f4a4f65
SHA2560ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a
SHA5125547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177
-
C:\Users\Admin\AppData\Local\Temp\2271737858.exeMD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
C:\Users\Admin\AppData\Local\Temp\2271737858.exeMD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
C:\Users\Admin\AppData\Local\Temp\2560128089.exeMD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
C:\Users\Admin\AppData\Local\Temp\2560128089.exeMD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
memory/8-6-0x0000000000000000-mapping.dmp
-
memory/200-3-0x0000000000000000-mapping.dmp
-
memory/208-15-0x0000000000000000-mapping.dmp
-
memory/496-13-0x0000000000000000-mapping.dmp
-
memory/1864-12-0x0000000000000000-mapping.dmp
-
memory/1904-9-0x0000000000000000-mapping.dmp
-
memory/1960-11-0x0000000000000000-mapping.dmp
-
memory/2080-7-0x0000000000000000-mapping.dmp
-
memory/2544-16-0x0000000000000000-mapping.dmp
-
memory/2792-10-0x0000000000000000-mapping.dmp
-
memory/3068-14-0x0000000000000000-mapping.dmp
-
memory/3304-8-0x0000000000000000-mapping.dmp
-
memory/3460-19-0x0000000000000000-mapping.dmp
-
memory/3632-0-0x0000000000000000-mapping.dmp
-
memory/3880-17-0x0000000000000000-mapping.dmp
-
memory/3948-18-0x0000000000000000-mapping.dmp
-
memory/4144-20-0x0000000000000000-mapping.dmp
-
memory/4192-21-0x0000000000000000-mapping.dmp
-
memory/4244-22-0x0000000000000000-mapping.dmp
-
memory/4292-23-0x0000000000000000-mapping.dmp
-
memory/4352-24-0x0000000000000000-mapping.dmp
-
memory/4368-25-0x0000000000000000-mapping.dmp
-
memory/4500-26-0x0000000000000000-mapping.dmp
-
memory/4544-27-0x0000000000000000-mapping.dmp
-
memory/4552-28-0x0000000000000000-mapping.dmp
-
memory/4628-29-0x0000000000000000-mapping.dmp
-
memory/4700-30-0x0000000000000000-mapping.dmp