Analysis
-
max time kernel
130s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-04-2021 09:05
Static task
static1
Behavioral task
behavioral1
Sample
download.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
download.exe
Resource
win10v20210410
General
-
Target
download.exe
-
Size
775KB
-
MD5
b1d5df48725672b525c8879670d10eaa
-
SHA1
6a6956aff077aeda5b22873cfb891632fbce6bc7
-
SHA256
f9b748cf35278dc4bfaa2127ca1d6016fafbeb768b1a09c7ab58560632dbd637
-
SHA512
7fc5fda6187a994cebc8d2e3eb895eabeea1b2b2f8195951e9b32375d23f0d9c709f69016813d97cbdf9d0a01f3e10aaf2360dfb712127aba06feef12c22035c
Malware Config
Extracted
C:\odt\xbPFm5X_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Extracted
C:\Users\Admin\Pictures\xbPFm5X_readme_.txt
http://avaddongun7rngel.onion
http://avaddonbotrxmuyl.onion
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
wmic.exewmic.exewmic.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 500 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4084 500 wmic.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 500 wmic.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
download.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\OptimizeUse.tiff download.exe File renamed C:\Users\Admin\Pictures\NewMount.raw => C:\Users\Admin\Pictures\NewMount.raw.bdEaeECDaA download.exe File renamed C:\Users\Admin\Pictures\StepSet.raw => C:\Users\Admin\Pictures\StepSet.raw.bdEaeECDaA download.exe File renamed C:\Users\Admin\Pictures\OptimizeUse.tiff => C:\Users\Admin\Pictures\OptimizeUse.tiff.bdEaeECDaA download.exe File renamed C:\Users\Admin\Pictures\UnpublishInstall.png => C:\Users\Admin\Pictures\UnpublishInstall.png.bdEaeECDaA download.exe File renamed C:\Users\Admin\Pictures\WaitProtect.crw => C:\Users\Admin\Pictures\WaitProtect.crw.bdEaeECDaA download.exe File renamed C:\Users\Admin\Pictures\ConvertFromGroup.raw => C:\Users\Admin\Pictures\ConvertFromGroup.raw.bdEaeECDaA download.exe -
Processes:
download.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" download.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
download.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini download.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
download.exedescription ioc process File opened (read-only) \??\A: download.exe File opened (read-only) \??\J: download.exe File opened (read-only) \??\M: download.exe File opened (read-only) \??\Q: download.exe File opened (read-only) \??\T: download.exe File opened (read-only) \??\X: download.exe File opened (read-only) \??\G: download.exe File opened (read-only) \??\K: download.exe File opened (read-only) \??\L: download.exe File opened (read-only) \??\P: download.exe File opened (read-only) \??\R: download.exe File opened (read-only) \??\U: download.exe File opened (read-only) \??\Z: download.exe File opened (read-only) \??\E: download.exe File opened (read-only) \??\H: download.exe File opened (read-only) \??\O: download.exe File opened (read-only) \??\S: download.exe File opened (read-only) \??\W: download.exe File opened (read-only) \??\Y: download.exe File opened (read-only) \??\B: download.exe File opened (read-only) \??\F: download.exe File opened (read-only) \??\I: download.exe File opened (read-only) \??\N: download.exe File opened (read-only) \??\V: download.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 4228 vssadmin.exe 4336 vssadmin.exe 4456 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
download.exepid process 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe 3176 download.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2636 wmic.exe Token: SeSecurityPrivilege 2636 wmic.exe Token: SeTakeOwnershipPrivilege 2636 wmic.exe Token: SeLoadDriverPrivilege 2636 wmic.exe Token: SeSystemProfilePrivilege 2636 wmic.exe Token: SeSystemtimePrivilege 2636 wmic.exe Token: SeProfSingleProcessPrivilege 2636 wmic.exe Token: SeIncBasePriorityPrivilege 2636 wmic.exe Token: SeCreatePagefilePrivilege 2636 wmic.exe Token: SeBackupPrivilege 2636 wmic.exe Token: SeRestorePrivilege 2636 wmic.exe Token: SeShutdownPrivilege 2636 wmic.exe Token: SeDebugPrivilege 2636 wmic.exe Token: SeSystemEnvironmentPrivilege 2636 wmic.exe Token: SeRemoteShutdownPrivilege 2636 wmic.exe Token: SeUndockPrivilege 2636 wmic.exe Token: SeManageVolumePrivilege 2636 wmic.exe Token: 33 2636 wmic.exe Token: 34 2636 wmic.exe Token: 35 2636 wmic.exe Token: 36 2636 wmic.exe Token: SeIncreaseQuotaPrivilege 4084 wmic.exe Token: SeSecurityPrivilege 4084 wmic.exe Token: SeTakeOwnershipPrivilege 4084 wmic.exe Token: SeLoadDriverPrivilege 4084 wmic.exe Token: SeSystemProfilePrivilege 4084 wmic.exe Token: SeSystemtimePrivilege 4084 wmic.exe Token: SeProfSingleProcessPrivilege 4084 wmic.exe Token: SeIncBasePriorityPrivilege 4084 wmic.exe Token: SeCreatePagefilePrivilege 4084 wmic.exe Token: SeBackupPrivilege 4084 wmic.exe Token: SeRestorePrivilege 4084 wmic.exe Token: SeShutdownPrivilege 4084 wmic.exe Token: SeDebugPrivilege 4084 wmic.exe Token: SeSystemEnvironmentPrivilege 4084 wmic.exe Token: SeRemoteShutdownPrivilege 4084 wmic.exe Token: SeUndockPrivilege 4084 wmic.exe Token: SeManageVolumePrivilege 4084 wmic.exe Token: 33 4084 wmic.exe Token: 34 4084 wmic.exe Token: 35 4084 wmic.exe Token: 36 4084 wmic.exe Token: SeIncreaseQuotaPrivilege 3568 wmic.exe Token: SeSecurityPrivilege 3568 wmic.exe Token: SeTakeOwnershipPrivilege 3568 wmic.exe Token: SeLoadDriverPrivilege 3568 wmic.exe Token: SeSystemProfilePrivilege 3568 wmic.exe Token: SeSystemtimePrivilege 3568 wmic.exe Token: SeProfSingleProcessPrivilege 3568 wmic.exe Token: SeIncBasePriorityPrivilege 3568 wmic.exe Token: SeCreatePagefilePrivilege 3568 wmic.exe Token: SeBackupPrivilege 3568 wmic.exe Token: SeRestorePrivilege 3568 wmic.exe Token: SeShutdownPrivilege 3568 wmic.exe Token: SeDebugPrivilege 3568 wmic.exe Token: SeSystemEnvironmentPrivilege 3568 wmic.exe Token: SeRemoteShutdownPrivilege 3568 wmic.exe Token: SeUndockPrivilege 3568 wmic.exe Token: SeManageVolumePrivilege 3568 wmic.exe Token: 33 3568 wmic.exe Token: 34 3568 wmic.exe Token: 35 3568 wmic.exe Token: 36 3568 wmic.exe Token: SeIncreaseQuotaPrivilege 3308 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
download.exedescription pid process target process PID 3176 wrote to memory of 3568 3176 download.exe wmic.exe PID 3176 wrote to memory of 3568 3176 download.exe wmic.exe PID 3176 wrote to memory of 3568 3176 download.exe wmic.exe PID 3176 wrote to memory of 4228 3176 download.exe vssadmin.exe PID 3176 wrote to memory of 4228 3176 download.exe vssadmin.exe PID 3176 wrote to memory of 4228 3176 download.exe vssadmin.exe PID 3176 wrote to memory of 4280 3176 download.exe wmic.exe PID 3176 wrote to memory of 4280 3176 download.exe wmic.exe PID 3176 wrote to memory of 4280 3176 download.exe wmic.exe PID 3176 wrote to memory of 4336 3176 download.exe vssadmin.exe PID 3176 wrote to memory of 4336 3176 download.exe vssadmin.exe PID 3176 wrote to memory of 4336 3176 download.exe vssadmin.exe PID 3176 wrote to memory of 4392 3176 download.exe wmic.exe PID 3176 wrote to memory of 4392 3176 download.exe wmic.exe PID 3176 wrote to memory of 4392 3176 download.exe wmic.exe PID 3176 wrote to memory of 4456 3176 download.exe vssadmin.exe PID 3176 wrote to memory of 4456 3176 download.exe vssadmin.exe PID 3176 wrote to memory of 4456 3176 download.exe vssadmin.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
download.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" download.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" download.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" download.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\download.exe"C:\Users\Admin\AppData\Local\Temp\download.exe"1⤵
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmic.exewmic SHADOWCOPY DELETE /nointeractive1⤵
- Process spawned unexpected child process
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3568-114-0x0000000000000000-mapping.dmp
-
memory/4228-115-0x0000000000000000-mapping.dmp
-
memory/4280-116-0x0000000000000000-mapping.dmp
-
memory/4336-117-0x0000000000000000-mapping.dmp
-
memory/4392-118-0x0000000000000000-mapping.dmp
-
memory/4456-119-0x0000000000000000-mapping.dmp