Analysis Overview
SHA256
3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a
Threat Level: Known bad
The file 3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a was found to be: Known bad.
Malicious Activity Summary
Avaddon
Avaddon Ransomware
Avaddon family
UAC bypass
Process spawned unexpected child process
Deletes shadow copies
Executes dropped EXE
Modifies extensions of user files
Checks whether UAC is enabled
Drops desktop.ini file(s)
Enumerates connected drives
Enumerates physical storage devices
System policy modification
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-28 10:42
Signatures
Avaddon Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Avaddon family
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-28 10:42
Reported
2021-05-28 10:45
Platform
win7v20210410
Max time kernel
123s
Max time network
125s
Command Line
Signatures
Avaddon
Avaddon Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\wbem\wmic.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\wbem\wmic.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\wbem\wmic.exe |
UAC bypass
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\CompressEnter.crw => C:\Users\Admin\Pictures\CompressEnter.crw.BacBBedadB | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveRequest.tif => C:\Users\Admin\Pictures\MoveRequest.tif.BacBBedadB | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UseUpdate.tiff | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UseUpdate.tiff => C:\Users\Admin\Pictures\UseUpdate.tiff.BacBBedadB | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MoveInstall.png => C:\Users\Admin\Pictures\MoveInstall.png.BacBBedadB | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe"
C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
C:\Windows\system32\taskeng.exe
taskeng.exe {19894817-0185-4800-8994-14F424B6C8B2} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe
Network
Files
memory/1676-59-0x0000000075971000-0x0000000075973000-memory.dmp
memory/1624-60-0x0000000000000000-mapping.dmp
memory/1568-61-0x0000000000000000-mapping.dmp
memory/972-62-0x0000000000000000-mapping.dmp
memory/316-63-0x0000000000000000-mapping.dmp
memory/1624-64-0x0000000000000000-mapping.dmp
memory/1592-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe
| MD5 | c184070cbd4ecf9972a0c98439dce97d |
| SHA1 | d55b231db5f478af4ccc1445fbb22014cbf77e1e |
| SHA256 | 3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a |
| SHA512 | 0e86f0ee1b3de78859879ea05e16d4fca4fada386ecbe1b995b63f477b2ff2197a2decb05eaa603be52a9bf6d21958502e516da09c46ea6d1da8c258ce13d9c2 |
memory/1292-67-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe
| MD5 | c184070cbd4ecf9972a0c98439dce97d |
| SHA1 | d55b231db5f478af4ccc1445fbb22014cbf77e1e |
| SHA256 | 3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a |
| SHA512 | 0e86f0ee1b3de78859879ea05e16d4fca4fada386ecbe1b995b63f477b2ff2197a2decb05eaa603be52a9bf6d21958502e516da09c46ea6d1da8c258ce13d9c2 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-28 10:42
Reported
2021-05-28 10:45
Platform
win10v20210408
Max time kernel
37s
Max time network
151s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\wbem\wmic.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\wbem\wmic.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\wbem\wmic.exe |
UAC bypass
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\MergeTrace.raw => C:\Users\Admin\Pictures\MergeTrace.raw.BADEeDBCAA | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnlockTest.png => C:\Users\Admin\Pictures\UnlockTest.png.BADEeDBCAA | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WaitPop.tif => C:\Users\Admin\Pictures\WaitPop.tif.BADEeDBCAA | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MergeSearch.tiff | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ShowDisconnect.tif => C:\Users\Admin\Pictures\ShowDisconnect.tif.BADEeDBCAA | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ClearConvertFrom.tif => C:\Users\Admin\Pictures\ClearConvertFrom.tif.BADEeDBCAA | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\OptimizeApprove.png => C:\Users\Admin\Pictures\OptimizeApprove.png.BADEeDBCAA | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MergeSearch.tiff => C:\Users\Admin\Pictures\MergeSearch.tiff.BADEeDBCAA | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\EnableUnlock.crw => C:\Users\Admin\Pictures\EnableUnlock.crw.BADEeDBCAA | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompareRevoke.tif => C:\Users\Admin\Pictures\CompareRevoke.tif.BADEeDBCAA | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe
"C:\Users\Admin\AppData\Local\Temp\3ec1be1a56371298b733b6873718b1ef54a57d9bbbf4209bf10d67d1178ba32a.exe"
C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\system32\wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic SHADOWCOPY DELETE /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
Network
| Country | Destination | Domain | Proto |
| N/A | 10.10.0.1:445 | tcp | |
| N/A | 10.10.0.1:139 | tcp |
Files
memory/2728-114-0x0000000000000000-mapping.dmp
memory/3816-115-0x0000000000000000-mapping.dmp
memory/792-116-0x0000000000000000-mapping.dmp
memory/1124-117-0x0000000000000000-mapping.dmp
memory/524-118-0x0000000000000000-mapping.dmp
memory/3084-119-0x0000000000000000-mapping.dmp