Analysis Overview
SHA256
d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2
Threat Level: Known bad
The file d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 was found to be: Known bad.
Malicious Activity Summary
Avaddon Ransomware
Avaddon family
UAC bypass
Avaddon
Deletes shadow copies
Modifies extensions of user files
Executes dropped EXE
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-28 10:55
Signatures
Avaddon Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Avaddon family
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-28 10:55
Reported
2021-05-28 10:59
Platform
win7v20210408
Max time kernel
69s
Max time network
34s
Command Line
Signatures
Avaddon
Avaddon Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ExitFind.crw => C:\Users\Admin\Pictures\ExitFind.crw.bCADccCbAC | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ImportDebug.tif => C:\Users\Admin\Pictures\ImportDebug.tif.bCADccCbAC | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\NewReset.raw => C:\Users\Admin\Pictures\NewReset.raw.bCADccCbAC | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-2455352368-1077083310-2879168483-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe
"C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9524188031436271432-657717719-161449073-951591173-1030637373-1888037537543632255"
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\taskeng.exe
taskeng.exe {FA1F7C19-4B41-4A47-AA4E-26068B181F71} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe
Network
Files
memory/2044-59-0x0000000075D11000-0x0000000075D13000-memory.dmp
memory/1616-60-0x0000000000000000-mapping.dmp
memory/700-61-0x0000000000000000-mapping.dmp
memory/760-63-0x0000000000000000-mapping.dmp
memory/804-62-0x0000000000000000-mapping.dmp
memory/1096-64-0x0000000000000000-mapping.dmp
memory/1212-65-0x0000000000000000-mapping.dmp
memory/588-66-0x0000000000000000-mapping.dmp
memory/868-67-0x0000000000000000-mapping.dmp
memory/696-68-0x0000000000000000-mapping.dmp
memory/1076-71-0x0000000000000000-mapping.dmp
memory/1676-70-0x0000000000000000-mapping.dmp
memory/1080-69-0x0000000000000000-mapping.dmp
memory/920-72-0x0000000000000000-mapping.dmp
memory/1176-73-0x0000000000000000-mapping.dmp
memory/1552-74-0x0000000000000000-mapping.dmp
memory/1980-75-0x0000000000000000-mapping.dmp
memory/804-76-0x0000000000000000-mapping.dmp
memory/1212-78-0x0000000000000000-mapping.dmp
memory/1104-79-0x0000000000000000-mapping.dmp
memory/1612-77-0x0000000000000000-mapping.dmp
memory/1520-80-0x0000000000000000-mapping.dmp
memory/1948-81-0x0000000000000000-mapping.dmp
memory/1368-82-0x0000000000000000-mapping.dmp
memory/1836-83-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
memory/1992-85-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe
| MD5 | f653e6890e4afe6eb4081b3f94189dad |
| SHA1 | a19718f52fa1f2dcba2acec7a4556f0dc77793d9 |
| SHA256 | d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2 |
| SHA512 | e8883ff02069766d8b2f8f8aac75292344d9dcc508084d7a96d26db2d8fdd8fac375d9d327b8c51a5e493304f5dc908a542c42e271856624157a7a0807c82bd2 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-28 10:55
Reported
2021-05-28 10:58
Platform
win10v20210410
Max time kernel
150s
Max time network
144s
Command Line
Signatures
UAC bypass
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\MoveUnregister.png => C:\Users\Admin\Pictures\MoveUnregister.png.BBadCCCeAB | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SkipConfirm.png => C:\Users\Admin\Pictures\SkipConfirm.png.BBadCCCeAB | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\BlockComplete.tiff | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\DebugUpdate.png => C:\Users\Admin\Pictures\DebugUpdate.png.BBadCCCeAB | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SearchInstall.tiff | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SearchInstall.tiff => C:\Users\Admin\Pictures\SearchInstall.tiff.BBadCCCeAB | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\BlockComplete.tiff => C:\Users\Admin\Pictures\BlockComplete.tiff.BBadCCCeAB | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MeasureWait.raw => C:\Users\Admin\Pictures\MeasureWait.raw.BBadCCCeAB | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PushRequest.png => C:\Users\Admin\Pictures\PushRequest.png.BBadCCCeAB | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-3686645723-710336880-414668232-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe
"C:\Users\Admin\AppData\Local\Temp\d8432d6eca2162786cc16d694cf0a1a7e08095870325e46f3067bd654e47cfb2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
Network
| Country | Destination | Domain | Proto |
| N/A | 10.10.0.1:445 | tcp | |
| N/A | 10.10.0.1:139 | tcp | |
| N/A | 10.10.0.34:51722 | tcp | |
| N/A | 10.10.0.14:445 | tcp | |
| N/A | 10.10.0.15:445 | tcp | |
| N/A | 10.10.0.17:445 | tcp | |
| N/A | 10.10.0.18:445 | tcp | |
| N/A | 10.10.0.24:445 | tcp | |
| N/A | 10.10.0.26:445 | tcp | |
| N/A | 10.10.0.24:58815 | tcp | |
| N/A | 10.10.0.31:445 | tcp | |
| N/A | 10.10.0.31:445 | tcp |
Files
memory/2616-114-0x0000000000000000-mapping.dmp
memory/3144-115-0x0000000000000000-mapping.dmp
memory/2232-116-0x0000000000000000-mapping.dmp
memory/1004-117-0x0000000000000000-mapping.dmp
memory/3404-119-0x0000000000000000-mapping.dmp
memory/412-118-0x0000000000000000-mapping.dmp
memory/3728-120-0x0000000000000000-mapping.dmp
memory/2368-122-0x0000000000000000-mapping.dmp
memory/2492-124-0x0000000000000000-mapping.dmp
memory/3772-123-0x0000000000000000-mapping.dmp
memory/3964-125-0x0000000000000000-mapping.dmp
memory/1168-121-0x0000000000000000-mapping.dmp
memory/2632-126-0x0000000000000000-mapping.dmp
memory/4116-127-0x0000000000000000-mapping.dmp
memory/4160-128-0x0000000000000000-mapping.dmp
memory/4204-129-0x0000000000000000-mapping.dmp
memory/4260-130-0x0000000000000000-mapping.dmp
memory/4368-132-0x0000000000000000-mapping.dmp
memory/4416-134-0x0000000000000000-mapping.dmp
memory/4384-133-0x0000000000000000-mapping.dmp
memory/4324-131-0x0000000000000000-mapping.dmp
memory/4596-136-0x0000000000000000-mapping.dmp
memory/4552-135-0x0000000000000000-mapping.dmp
memory/4696-137-0x0000000000000000-mapping.dmp