Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
28-10-2020 10:21
General
-
Target
b76e77b52d682f0938d120f3fe011660.exe
-
Size
68KB
-
MD5
b76e77b52d682f0938d120f3fe011660
-
SHA1
c1fdc71284b5a34b170470a6071626f40f4a4f65
-
SHA256
0ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a
-
SHA512
5547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177
Score
10/10
Malware Config
Extracted
Path
C:\odt\8xHXy_readme_.txt
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .baDcdcdEdc
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
NzMwLUhqK0o5SEg0RGM5TFNkdWN1ZjlCWDgyeU9RbERTY0R6TVRJaWRJbUgyZUt1clcyMUhhVWdBWU0vMnpXdW4xa01kc2xWYmdDNkRYYkplYjg4SUlmbVBWQUtUM29OYlhiZHpabXhVOWtUOEMzeXBNRkxlVlA1SllkN3RpZVBxUSt2MUdkU0J4K3NUS2QxdHFrdEZkSkU0KzR2NldueXVZY01MaWRya2xQbDN2UWpKR244dktjcVRDMENnYlBrWmtWa2xqR1pWTkFoMG5vSEsyRlRNek1EZHp1KzREaUZTeUl6QllLSlozQnliNGIvQUdzUXRmYVhLQ3V1T1NiRytvbWtLZU1HSUpPNXU4RWt0cytOcFlYV1VVZlZkYkNOSHdMd1NjS1BodVJialhTZHgvSDNJWlZUSkNFQ1lKTXNaRnF0TmJJS3p0NitsdUYvcEZGZEJQYkR1elNRUC9pUWU4eXVOQmFrMEJiTG1EblFOZGRhRTVlaEFlQUc0UkdzSkxXMlBTeDM4Q0xKei9BSFZsSmY3b1ZBdWN3ajRmTGJQWk9hS0hNVVFCazRlRmZUc0poL0tCVjZGeW51Smx4WmNCeE95N2xVR21ZbHZaRGVKbjU4Z0NkVEFpTWNudWJVSVVtczh2ZjV3ZEFSWUJyS1V6Q2FPbE9hV2hnL1BkcHRaVEVBNlNsbGg0elRXUEZ4Vm9iK09HZHVqTkx0MnJpZ210ekRTUkFOa0V6R21iUzFYQ25hNUQ3YWlVSGNpSEprMjF6dEYwaC93MGtBUFBGNytzdUFEU3dnaC9CZmdzUU1ndjJtbXk5Z2ttbTRUc0ZaWWFNc2NzNTFLMTREM3JDYjFVZWk4T2ROcDF4UXJDb3VxSVBHeTdWTEY5eExxVllEZ292MVl2QzBZOUE3MVdDYy9LR3hXeU1Fa0owSFpsSVhCRWYrekY4aEV4b21XY1NGRkdhUFVHb3pEYktZUmRGdzRlQzhkZy9IbGREU2luZ0w0N1BNMDFPNm1XYWZYWC83U3BzOVNoVU15N2U4ek5CUjRzUmE0d0dKaW4xbWh5ZzhLSmVoTmg1a1g5dkRjMVM3VlZRdGNLcW9FRFZqNUlvb0Vob1U4VE0xQWYvbkFaR0NxQ1Z4VVBXenpxdjVDeHJRamxEZE9hQkdLeFJBNmJwb2V2TGI4MkRVQzJvdndnZnRGSG1HL2t0UTRIVEJLSXVMbXZReE1DeWw2bFBzWFJZckUxNkNBWkRQK1pRSG5VajVMVHNxb25nT00vZFVVQnNhcEpack5EODBGU3ViRnpQVlhHQzZQbFBKNjltRnBaWE1NZnkzU0xqVC9vSUF1Y2xyUzdob2VhSzlCVFUxYzEvWER1dEJHQmR6RVlyRG9qUkdhRmlHdXQrYkZEOE9Dak1UWGJxWERXeVlQUS9ybko1VXJLN1AyYS95TUYxQUJBb3E2K3BocVNqQS9tRUVOVE9YV1NhQVdFNDcvNCtiZFpWbWgzcFowbnZpQ29yOTVOQjZjOFFLbkJldXFsNkVObGtNbFNjZm8rcUlrczBzbUtMbFVHN2Q4bHFUYjhmOXZDbG92VlVnaHQ2NGtpRzd2ZDEzY2VGSFNJTXUrWDdGdzV1MndMa3FrZ1FJby8xbTlvWEQ5SXUrQit4OGF2Q2ZxYmlsRVF2NnBPSkdRSnZrbTdnZEpobk0xcWJSaERJbC9DM1NyczA2b2UxTjR3OHJselpoWFQzQ1VDbmZmbTQrdXFDdElXZGJTYXV6em8zOTFaNzY1Uk54OHh5L2dEMlB2NzQxV1BycVNrWEZ2YytaWjV0eGhBRnNwRkE1MlBxMGorSUk0R1p6Nk1rV0pCaU52Ylk4QjVqYndrWjZNY3lsb1RKVDBzWGQ4Zk5FUDVONUV2OTkzMHV2bzZVM0lMeDh3WXhQbXdicEZhbER1d2hUYUFVcEZwYnFNS2ZyL1MyTlN0dU9iRG9GZ2w3cEF2b3hiSjFBT3djVGo1RVFRazFuK0YrOEt6bTZjTFpaVE1zVHJvR1M0TXZRdmZkanZ0U3NlVUtCM20rMEZNd0dhdnZORUVDUFFWMDFCMmhiZ1YrdVBBbnJ0TlRiUm02aitMdUpIWjQ9
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
LhTk70N0xaqZ0aou9JtOs0u
URLs
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Downloads\8xHXy_readme_.txt
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .baDcdcdEdc
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
NzMwLUhqK0o5SEg0RGM5TFNkdWN1ZjlCWDgyeU9RbERTY0R6TVRJaWRJbUgyZUt1clcyMUhhVWdBWU0vMnpXdW4xa01kc2xWYmdDNkRYYkplYjg4SUlmbVBWQUtUM29OYlhiZHpabXhVOWtUOEMzeXBNRkxlVlA1SllkN3RpZVBxUSt2MUdkU0J4K3NUS2QxdHFrdEZkSkU0KzR2NldueXVZY01MaWRya2xQbDN2UWpKR244dktjcVRDMENnYlBrWmtWa2xqR1pWTkFoMG5vSEsyRlRNek1EZHp1KzREaUZTeUl6QllLSlozQnliNGIvQUdzUXRmYVhLQ3V1T1NiRytvbWtLZU1HSUpPNXU4RWt0cytOcFlYV1VVZlZkYkNOSHdMd1NjS1BodVJialhTZHgvSDNJWlZUSkNFQ1lKTXNaRnF0TmJJS3p0NitsdUYvcEZGZEJQYkR1elNRUC9pUWU4eXVOQmFrMEJiTG1EblFOZGRhRTVlaEFlQUc0UkdzSkxXMlBTeDM4Q0xKei9BSFZsSmY3b1ZBdWN3ajRmTGJQWk9hS0hNVVFCazRlRmZUc0poL0tCVjZGeW51Smx4WmNCeE95N2xVR21ZbHZaRGVKbjU4Z0NkVEFpTWNudWJVSVVtczh2ZjV3ZEFSWUJyS1V6Q2FPbE9hV2hnL1BkcHRaVEVBNlNsbGg0elRXUEZ4Vm9iK09HZHVqTkx0MnJpZ210ekRTUkFOa0V6R21iUzFYQ25hNUQ3YWlVSGNpSEprMjF6dEYwaC93MGtBUFBGNytzdUFEU3dnaC9CZmdzUU1ndjJtbXk5Z2ttbTRUc0ZaWWFNc2NzNTFLMTREM3JDYjFVZWk4T2ROcDF4UXJDb3VxSVBHeTdWTEY5eExxVllEZ292MVl2QzBZOUE3MVdDYy9LR3hXeU1Fa0owSFpsSVhCRWYrekY4aEV4b21XY1NGRkdhUFVHb3pEYktZUmRGdzRlQzhkZy9IbGREU2luZ0w0N1BNMDFPNm1XYWZYWC83U3BzOVNoVU15N2U4ek5CUjRzUmE0d0dKaW4xbWh5ZzhLSmVoTmg1a1g5dkRjMVM3VlZRdGNLcW9FRFZqNUlvb0Vob1U4VE0xQWYvbkFaR0NxQ1Z4VVBXenpxdjVDeHJRamxEZE9hQkdLeFJBNmJwb2V2TGI4MkRVQzJvdndnZnRGSG1HL2t0UTRIVEJLSXVMbXZReE1DeWw2bFBzWFJZckUxNkNBWkRQK1pRSG5VajVMVHNxb25nT00vZFVVQnNhcEpack5EODBGU3ViRnpQVlhHQzZQbFBKNjltRnBaWE1NZnkzU0xqVC9vSUF1Y2xyUzdob2VhSzlCVFUxYzEvWER1dEJHQmR6RVlyRG9qUkdhRmlHdXQrYkZEOE9Dak1UWGJxWERXeVlQUS9ybko1VXJLN1AyYS95TUYxQUJBb3E2K3BocVNqQS9tRUVOVE9YV1NhQVdFNDcvNCtiZFpWbWgzcFowbnZpQ29yOTVOQjZjOFFLbkJldXFsNkVObGtNbFNjZm8rcUlrczBzbUtMbFVHN2Q4bHFUYjhmOXZDbG92VlVnaHQ2NGtpRzd2ZDEzY2VGSFNJTXUrWDdGdzV1MndMa3FrZ1FJby8xbTlvWEQ5SXUrQit4OGF2Q2ZxYmlsRVF2NnBPSkdRSnZrbTdnZEpobk0xcWJSaERJbC9DM1NyczA2b2UxTjR3OHJselpoWFQzQ1VDbmZmbTQrdXFDdElXZGJTYXV6em8zOTFaNzY1Uk54OHh5L2dEMlB2NzQxV1BycVNrWEZ2YytaWjV0eGhBRnNwRkE1MlBxMGorSUk0R1p6Nk1rV0pCaU52Ylk4QjVqYndrWjZNY3lsb1RKVDBzWGQ4Zk5FUDVONUV2OTkzMHV2bzZVM0lMeDh3WXhQbXdicEZhbER1d2hUYUFVcEZwYnFNS2ZyL1MyTlN0dU9iRG9GZ2w3cEF2b3hiSjFBT3djVGo1RVFRazFuK0YrOEt6bTZjTFpaVE1zVHJvR1M0TXZRdmZkanZ0U3NlVUtCM20rMEZNd0dhdnZORUVDUFFWMDFCMmhiZ1YrdVBBbnJ0TlRiUm02aitMdUpIWjQ9
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
hJb7SCAKnDYdM0SwLqJ0ZA22eb
URLs
http://avaddonbotrxmuyl.onion
Extracted
Path
C:\Users\Admin\Searches\8xHXy_readme_.txt
Ransom Note
-------=== Your network has been infected! ===-------
***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED *****************
All your documents, photos, databases and other important files have been encrypted and have the extension: .baDcdcdEdc
You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files!
The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files!
We have also downloaded a lot of private data from your network.
If you do not contact as in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info.
You can get more information on our page, which is located in a Tor hidden network.
How to get to our page
--------------------------------------------------------------------------------
|
| 1. Download Tor browser - https://www.torproject.org/
|
| 2. Install Tor browser
|
| 3. Open link in Tor browser - avaddonbotrxmuyl.onion
|
| 4. Follow the instructions on this page
|
--------------------------------------------------------------------------------
Your ID:
--------------------------------------------------------------------------------
NzMwLUhqK0o5SEg0RGM5TFNkdWN1ZjlCWDgyeU9RbERTY0R6TVRJaWRJbUgyZUt1clcyMUhhVWdBWU0vMnpXdW4xa01kc2xWYmdDNkRYYkplYjg4SUlmbVBWQUtUM29OYlhiZHpabXhVOWtUOEMzeXBNRkxlVlA1SllkN3RpZVBxUSt2MUdkU0J4K3NUS2QxdHFrdEZkSkU0KzR2NldueXVZY01MaWRya2xQbDN2UWpKR244dktjcVRDMENnYlBrWmtWa2xqR1pWTkFoMG5vSEsyRlRNek1EZHp1KzREaUZTeUl6QllLSlozQnliNGIvQUdzUXRmYVhLQ3V1T1NiRytvbWtLZU1HSUpPNXU4RWt0cytOcFlYV1VVZlZkYkNOSHdMd1NjS1BodVJialhTZHgvSDNJWlZUSkNFQ1lKTXNaRnF0TmJJS3p0NitsdUYvcEZGZEJQYkR1elNRUC9pUWU4eXVOQmFrMEJiTG1EblFOZGRhRTVlaEFlQUc0UkdzSkxXMlBTeDM4Q0xKei9BSFZsSmY3b1ZBdWN3ajRmTGJQWk9hS0hNVVFCazRlRmZUc0poL0tCVjZGeW51Smx4WmNCeE95N2xVR21ZbHZaRGVKbjU4Z0NkVEFpTWNudWJVSVVtczh2ZjV3ZEFSWUJyS1V6Q2FPbE9hV2hnL1BkcHRaVEVBNlNsbGg0elRXUEZ4Vm9iK09HZHVqTkx0MnJpZ210ekRTUkFOa0V6R21iUzFYQ25hNUQ3YWlVSGNpSEprMjF6dEYwaC93MGtBUFBGNytzdUFEU3dnaC9CZmdzUU1ndjJtbXk5Z2ttbTRUc0ZaWWFNc2NzNTFLMTREM3JDYjFVZWk4T2ROcDF4UXJDb3VxSVBHeTdWTEY5eExxVllEZ292MVl2QzBZOUE3MVdDYy9LR3hXeU1Fa0owSFpsSVhCRWYrekY4aEV4b21XY1NGRkdhUFVHb3pEYktZUmRGdzRlQzhkZy9IbGREU2luZ0w0N1BNMDFPNm1XYWZYWC83U3BzOVNoVU15N2U4ek5CUjRzUmE0d0dKaW4xbWh5ZzhLSmVoTmg1a1g5dkRjMVM3VlZRdGNLcW9FRFZqNUlvb0Vob1U4VE0xQWYvbkFaR0NxQ1Z4VVBXenpxdjVDeHJRamxEZE9hQkdLeFJBNmJwb2V2TGI4MkRVQzJvdndnZnRGSG1HL2t0UTRIVEJLSXVMbXZReE1DeWw2bFBzWFJZckUxNkNBWkRQK1pRSG5VajVMVHNxb25nT00vZFVVQnNhcEpack5EODBGU3ViRnpQVlhHQzZQbFBKNjltRnBaWE1NZnkzU0xqVC9vSUF1Y2xyUzdob2VhSzlCVFUxYzEvWER1dEJHQmR6RVlyRG9qUkdhRmlHdXQrYkZEOE9Dak1UWGJxWERXeVlQUS9ybko1VXJLN1AyYS95TUYxQUJBb3E2K3BocVNqQS9tRUVOVE9YV1NhQVdFNDcvNCtiZFpWbWgzcFowbnZpQ29yOTVOQjZjOFFLbkJldXFsNkVObGtNbFNjZm8rcUlrczBzbUtMbFVHN2Q4bHFUYjhmOXZDbG92VlVnaHQ2NGtpRzd2ZDEzY2VGSFNJTXUrWDdGdzV1MndMa3FrZ1FJby8xbTlvWEQ5SXUrQit4OGF2Q2ZxYmlsRVF2NnBPSkdRSnZrbTdnZEpobk0xcWJSaERJbC9DM1NyczA2b2UxTjR3OHJselpoWFQzQ1VDbmZmbTQrdXFDdElXZGJTYXV6em8zOTFaNzY1Uk54OHh5L2dEMlB2NzQxV1BycVNrWEZ2YytaWjV0eGhBRnNwRkE1MlBxMGorSUk0R1p6Nk1rV0pCaU52Ylk4QjVqYndrWjZNY3lsb1RKVDBzWGQ4Zk5FUDVONUV2OTkzMHV2bzZVM0lMeDh3WXhQbXdicEZhbER1d2hUYUFVcEZwYnFNS2ZyL1MyTlN0dU9iRG9GZ2w3cEF2b3hiSjFBT3djVGo1RVFRazFuK0YrOEt6bTZjTFpaVE1zVHJvR1M0TXZRdmZkanZ0U3NlVUtCM20rMEZNd0dhdnZORUVDUFFWMDFCMmhiZ1YrdVBBbnJ0TlRiUm02aitMdUpIWjQ9
--------------------------------------------------------------------------------
* DO NOT TRY TO RECOVER FILES YOURSELF!
* DO NOT MODIFY ENCRYPTED FILES!
* * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * *
XRCTnPx7dpGCEwaU0ME7kpB3Vmy4v
URLs
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon Ransomware 4 IoCs
-
Phorphiex Payload 2 IoCs
-
Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
-
UAC bypass 3 TTPs
-
Windows security bypass 2 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 3 IoCs
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
-
Windows security modification 2 TTPs 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies service 2 TTPs 4 IoCs
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 630 IoCs
-
Suspicious use of AdjustPrivilegeToken 66 IoCs
-
Suspicious use of WriteProcessMemory 81 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b76e77b52d682f0938d120f3fe011660.exe"C:\Users\Admin\AppData\Local\Temp\b76e77b52d682f0938d120f3fe011660.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\132732751115422\winsvcs.exeC:\132732751115422\winsvcs.exe2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2560128089.exeC:\Users\Admin\AppData\Local\Temp\2560128089.exe3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet4⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\2271737858.exeC:\Users\Admin\AppData\Local\Temp\2271737858.exe3⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\132732751115422\winsvcs.exeMD5
b76e77b52d682f0938d120f3fe011660
SHA1c1fdc71284b5a34b170470a6071626f40f4a4f65
SHA2560ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a
SHA5125547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177
-
C:\132732751115422\winsvcs.exeMD5
b76e77b52d682f0938d120f3fe011660
SHA1c1fdc71284b5a34b170470a6071626f40f4a4f65
SHA2560ba5efbb88dd3a6cf12923ed9f6abe16431e839cf0d0beebc3e2e0cdf1a6af5a
SHA5125547b31fd4635d81e8ea4d426c0133f291b0a1caa3237efb21f849fe71d2d504bf59a1d25e3a20265e6a6f8ce108e6adda47f66eed2c64ecfa96c593efb80177
-
C:\Users\Admin\AppData\Local\Temp\2271737858.exeMD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
C:\Users\Admin\AppData\Local\Temp\2271737858.exeMD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
C:\Users\Admin\AppData\Local\Temp\2560128089.exeMD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
C:\Users\Admin\AppData\Local\Temp\2560128089.exeMD5
f653e6890e4afe6eb4081b3f94189dad
SHA1a19718f52fa1f2dcba2acec7a4556f0dc77793d9
SHA256d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
SHA512e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2
-
memory/8-6-0x0000000000000000-mapping.dmp
-
memory/200-3-0x0000000000000000-mapping.dmp
-
memory/208-15-0x0000000000000000-mapping.dmp
-
memory/496-13-0x0000000000000000-mapping.dmp
-
memory/1864-12-0x0000000000000000-mapping.dmp
-
memory/1904-9-0x0000000000000000-mapping.dmp
-
memory/1960-11-0x0000000000000000-mapping.dmp
-
memory/2080-7-0x0000000000000000-mapping.dmp
-
memory/2544-16-0x0000000000000000-mapping.dmp
-
memory/2792-10-0x0000000000000000-mapping.dmp
-
memory/3068-14-0x0000000000000000-mapping.dmp
-
memory/3304-8-0x0000000000000000-mapping.dmp
-
memory/3460-19-0x0000000000000000-mapping.dmp
-
memory/3632-0-0x0000000000000000-mapping.dmp
-
memory/3880-17-0x0000000000000000-mapping.dmp
-
memory/3948-18-0x0000000000000000-mapping.dmp
-
memory/4144-20-0x0000000000000000-mapping.dmp
-
memory/4192-21-0x0000000000000000-mapping.dmp
-
memory/4244-22-0x0000000000000000-mapping.dmp
-
memory/4292-23-0x0000000000000000-mapping.dmp
-
memory/4352-24-0x0000000000000000-mapping.dmp
-
memory/4368-25-0x0000000000000000-mapping.dmp
-
memory/4500-26-0x0000000000000000-mapping.dmp
-
memory/4544-27-0x0000000000000000-mapping.dmp
-
memory/4552-28-0x0000000000000000-mapping.dmp
-
memory/4628-29-0x0000000000000000-mapping.dmp
-
memory/4700-30-0x0000000000000000-mapping.dmp