Analysis
-
max time kernel
128s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-04-2021 09:05
Static task
static1
Behavioral task
behavioral1
Sample
download.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
download.exe
Resource
win10v20210410
General
-
Target
download.exe
-
Size
775KB
-
MD5
b1d5df48725672b525c8879670d10eaa
-
SHA1
6a6956aff077aeda5b22873cfb891632fbce6bc7
-
SHA256
f9b748cf35278dc4bfaa2127ca1d6016fafbeb768b1a09c7ab58560632dbd637
-
SHA512
7fc5fda6187a994cebc8d2e3eb895eabeea1b2b2f8195951e9b32375d23f0d9c709f69016813d97cbdf9d0a01f3e10aaf2360dfb712127aba06feef12c22035c
Malware Config
Extracted
C:\Users\Admin\Contacts\tEyFD_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Downloads\tEyFD_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Favorites\Links\tEyFD_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Searches\tEyFD_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Avaddon Ransomware 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\download.exe avaddon_ransomware C:\Users\Admin\AppData\Roaming\Microsoft\Windows\download.exe avaddon_ransomware -
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 1728 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 856 1728 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1672 1728 wmic.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
download.exepid process 2176 download.exe -
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
download.exedescription ioc process File renamed C:\Users\Admin\Pictures\SyncOpen.png => C:\Users\Admin\Pictures\SyncOpen.png.aDeDEeAaEd download.exe File renamed C:\Users\Admin\Pictures\SwitchRestart.tif => C:\Users\Admin\Pictures\SwitchRestart.tif.aDeDEeAaEd download.exe File renamed C:\Users\Admin\Pictures\ResumeSync.crw => C:\Users\Admin\Pictures\ResumeSync.crw.aDeDEeAaEd download.exe File renamed C:\Users\Admin\Pictures\WatchHide.tif => C:\Users\Admin\Pictures\WatchHide.tif.aDeDEeAaEd download.exe File renamed C:\Users\Admin\Pictures\ReadRegister.tiff => C:\Users\Admin\Pictures\ReadRegister.tiff.aDeDEeAaEd download.exe File renamed C:\Users\Admin\Pictures\GrantFind.png => C:\Users\Admin\Pictures\GrantFind.png.aDeDEeAaEd download.exe File renamed C:\Users\Admin\Pictures\RenameTest.raw => C:\Users\Admin\Pictures\RenameTest.raw.aDeDEeAaEd download.exe File renamed C:\Users\Admin\Pictures\RepairSearch.crw => C:\Users\Admin\Pictures\RepairSearch.crw.aDeDEeAaEd download.exe File renamed C:\Users\Admin\Pictures\TraceStop.raw => C:\Users\Admin\Pictures\TraceStop.raw.aDeDEeAaEd download.exe File opened for modification C:\Users\Admin\Pictures\InitializeConvert.tiff download.exe File renamed C:\Users\Admin\Pictures\GetFind.png => C:\Users\Admin\Pictures\GetFind.png.aDeDEeAaEd download.exe File renamed C:\Users\Admin\Pictures\OutInitialize.crw => C:\Users\Admin\Pictures\OutInitialize.crw.aDeDEeAaEd download.exe File opened for modification C:\Users\Admin\Pictures\ReadRegister.tiff download.exe File renamed C:\Users\Admin\Pictures\InitializeConvert.tiff => C:\Users\Admin\Pictures\InitializeConvert.tiff.aDeDEeAaEd download.exe -
Processes:
download.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" download.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
download.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini download.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
download.exedescription ioc process File opened (read-only) \??\E: download.exe File opened (read-only) \??\O: download.exe File opened (read-only) \??\Q: download.exe File opened (read-only) \??\V: download.exe File opened (read-only) \??\X: download.exe File opened (read-only) \??\Z: download.exe File opened (read-only) \??\F: download.exe File opened (read-only) \??\G: download.exe File opened (read-only) \??\J: download.exe File opened (read-only) \??\U: download.exe File opened (read-only) \??\H: download.exe File opened (read-only) \??\P: download.exe File opened (read-only) \??\S: download.exe File opened (read-only) \??\T: download.exe File opened (read-only) \??\W: download.exe File opened (read-only) \??\A: download.exe File opened (read-only) \??\B: download.exe File opened (read-only) \??\I: download.exe File opened (read-only) \??\K: download.exe File opened (read-only) \??\L: download.exe File opened (read-only) \??\M: download.exe File opened (read-only) \??\N: download.exe File opened (read-only) \??\R: download.exe File opened (read-only) \??\Y: download.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1800 vssadmin.exe 408 vssadmin.exe 1808 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
download.exepid process 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe 1612 download.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 316 wmic.exe Token: SeSecurityPrivilege 316 wmic.exe Token: SeTakeOwnershipPrivilege 316 wmic.exe Token: SeLoadDriverPrivilege 316 wmic.exe Token: SeSystemProfilePrivilege 316 wmic.exe Token: SeSystemtimePrivilege 316 wmic.exe Token: SeProfSingleProcessPrivilege 316 wmic.exe Token: SeIncBasePriorityPrivilege 316 wmic.exe Token: SeCreatePagefilePrivilege 316 wmic.exe Token: SeBackupPrivilege 316 wmic.exe Token: SeRestorePrivilege 316 wmic.exe Token: SeShutdownPrivilege 316 wmic.exe Token: SeDebugPrivilege 316 wmic.exe Token: SeSystemEnvironmentPrivilege 316 wmic.exe Token: SeRemoteShutdownPrivilege 316 wmic.exe Token: SeUndockPrivilege 316 wmic.exe Token: SeManageVolumePrivilege 316 wmic.exe Token: 33 316 wmic.exe Token: 34 316 wmic.exe Token: 35 316 wmic.exe Token: SeIncreaseQuotaPrivilege 856 wmic.exe Token: SeSecurityPrivilege 856 wmic.exe Token: SeTakeOwnershipPrivilege 856 wmic.exe Token: SeLoadDriverPrivilege 856 wmic.exe Token: SeSystemProfilePrivilege 856 wmic.exe Token: SeSystemtimePrivilege 856 wmic.exe Token: SeProfSingleProcessPrivilege 856 wmic.exe Token: SeIncBasePriorityPrivilege 856 wmic.exe Token: SeCreatePagefilePrivilege 856 wmic.exe Token: SeBackupPrivilege 856 wmic.exe Token: SeRestorePrivilege 856 wmic.exe Token: SeShutdownPrivilege 856 wmic.exe Token: SeDebugPrivilege 856 wmic.exe Token: SeSystemEnvironmentPrivilege 856 wmic.exe Token: SeRemoteShutdownPrivilege 856 wmic.exe Token: SeUndockPrivilege 856 wmic.exe Token: SeManageVolumePrivilege 856 wmic.exe Token: 33 856 wmic.exe Token: 34 856 wmic.exe Token: 35 856 wmic.exe Token: SeIncreaseQuotaPrivilege 1672 wmic.exe Token: SeSecurityPrivilege 1672 wmic.exe Token: SeTakeOwnershipPrivilege 1672 wmic.exe Token: SeLoadDriverPrivilege 1672 wmic.exe Token: SeSystemProfilePrivilege 1672 wmic.exe Token: SeSystemtimePrivilege 1672 wmic.exe Token: SeProfSingleProcessPrivilege 1672 wmic.exe Token: SeIncBasePriorityPrivilege 1672 wmic.exe Token: SeCreatePagefilePrivilege 1672 wmic.exe Token: SeBackupPrivilege 1672 wmic.exe Token: SeRestorePrivilege 1672 wmic.exe Token: SeShutdownPrivilege 1672 wmic.exe Token: SeDebugPrivilege 1672 wmic.exe Token: SeSystemEnvironmentPrivilege 1672 wmic.exe Token: SeRemoteShutdownPrivilege 1672 wmic.exe Token: SeUndockPrivilege 1672 wmic.exe Token: SeManageVolumePrivilege 1672 wmic.exe Token: 33 1672 wmic.exe Token: 34 1672 wmic.exe Token: 35 1672 wmic.exe Token: SeIncreaseQuotaPrivilege 336 wmic.exe Token: SeSecurityPrivilege 336 wmic.exe Token: SeTakeOwnershipPrivilege 336 wmic.exe Token: SeLoadDriverPrivilege 336 wmic.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
download.exetaskeng.exedescription pid process target process PID 1612 wrote to memory of 336 1612 download.exe wmic.exe PID 1612 wrote to memory of 336 1612 download.exe wmic.exe PID 1612 wrote to memory of 336 1612 download.exe wmic.exe PID 1612 wrote to memory of 336 1612 download.exe wmic.exe PID 1612 wrote to memory of 1800 1612 download.exe vssadmin.exe PID 1612 wrote to memory of 1800 1612 download.exe vssadmin.exe PID 1612 wrote to memory of 1800 1612 download.exe vssadmin.exe PID 1612 wrote to memory of 1800 1612 download.exe vssadmin.exe PID 1612 wrote to memory of 1964 1612 download.exe wmic.exe PID 1612 wrote to memory of 1964 1612 download.exe wmic.exe PID 1612 wrote to memory of 1964 1612 download.exe wmic.exe PID 1612 wrote to memory of 1964 1612 download.exe wmic.exe PID 1612 wrote to memory of 408 1612 download.exe vssadmin.exe PID 1612 wrote to memory of 408 1612 download.exe vssadmin.exe PID 1612 wrote to memory of 408 1612 download.exe vssadmin.exe PID 1612 wrote to memory of 408 1612 download.exe vssadmin.exe PID 1612 wrote to memory of 1584 1612 download.exe wmic.exe PID 1612 wrote to memory of 1584 1612 download.exe wmic.exe PID 1612 wrote to memory of 1584 1612 download.exe wmic.exe PID 1612 wrote to memory of 1584 1612 download.exe wmic.exe PID 1612 wrote to memory of 1808 1612 download.exe vssadmin.exe PID 1612 wrote to memory of 1808 1612 download.exe vssadmin.exe PID 1612 wrote to memory of 1808 1612 download.exe vssadmin.exe PID 1612 wrote to memory of 1808 1612 download.exe vssadmin.exe PID 2140 wrote to memory of 2176 2140 taskeng.exe download.exe PID 2140 wrote to memory of 2176 2140 taskeng.exe download.exe PID 2140 wrote to memory of 2176 2140 taskeng.exe download.exe PID 2140 wrote to memory of 2176 2140 taskeng.exe download.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
download.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" download.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" download.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" download.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\download.exe"C:\Users\Admin\AppData\Local\Temp\download.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {59A17974-5DCB-4FD6-BCF5-FA1A4BA02BDD} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\download.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\download.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\download.exeMD5
b1d5df48725672b525c8879670d10eaa
SHA16a6956aff077aeda5b22873cfb891632fbce6bc7
SHA256f9b748cf35278dc4bfaa2127ca1d6016fafbeb768b1a09c7ab58560632dbd637
SHA5127fc5fda6187a994cebc8d2e3eb895eabeea1b2b2f8195951e9b32375d23f0d9c709f69016813d97cbdf9d0a01f3e10aaf2360dfb712127aba06feef12c22035c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\download.exeMD5
b1d5df48725672b525c8879670d10eaa
SHA16a6956aff077aeda5b22873cfb891632fbce6bc7
SHA256f9b748cf35278dc4bfaa2127ca1d6016fafbeb768b1a09c7ab58560632dbd637
SHA5127fc5fda6187a994cebc8d2e3eb895eabeea1b2b2f8195951e9b32375d23f0d9c709f69016813d97cbdf9d0a01f3e10aaf2360dfb712127aba06feef12c22035c
-
memory/336-60-0x0000000000000000-mapping.dmp
-
memory/408-63-0x0000000000000000-mapping.dmp
-
memory/1584-64-0x0000000000000000-mapping.dmp
-
memory/1612-59-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB
-
memory/1800-61-0x0000000000000000-mapping.dmp
-
memory/1808-65-0x0000000000000000-mapping.dmp
-
memory/1964-62-0x0000000000000000-mapping.dmp
-
memory/2176-67-0x0000000000000000-mapping.dmp