Analysis Overview
SHA256
5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761
Threat Level: Known bad
The file 5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761 was found to be: Known bad.
Malicious Activity Summary
Avaddon
Avaddon family
Avaddon Ransomware
UAC bypass
Deletes shadow copies
Modifies extensions of user files
Executes dropped EXE
Drops desktop.ini file(s)
Enumerates connected drives
Checks whether UAC is enabled
Enumerates physical storage devices
System policy modification
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-05-28 10:43
Signatures
Avaddon Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Avaddon family
Analysis: behavioral1
Detonation Overview
Submitted
2021-05-28 10:43
Reported
2021-05-28 10:46
Platform
win7v20210410
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Avaddon
Avaddon Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
Deletes shadow copies
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\MoveUnpublish.png => C:\Users\Admin\Pictures\MoveUnpublish.png.beecEbBbAB | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SaveDebug.raw => C:\Users\Admin\Pictures\SaveDebug.raw.beecEbBbAB | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SubmitClose.tif => C:\Users\Admin\Pictures\SubmitClose.tif.beecEbBbAB | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UninstallCompress.crw => C:\Users\Admin\Pictures\UninstallCompress.crw.beecEbBbAB | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WriteStop.tif => C:\Users\Admin\Pictures\WriteStop.tif.beecEbBbAB | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GetTrace.png => C:\Users\Admin\Pictures\GetTrace.png.beecEbBbAB | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RepairRemove.tif => C:\Users\Admin\Pictures\RepairRemove.tif.beecEbBbAB | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe
"C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\system32\taskeng.exe
taskeng.exe {70843CEF-594C-4F21-BDFB-955B3F7E1CC7} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe
Network
Files
memory/1040-59-0x0000000074F31000-0x0000000074F33000-memory.dmp
memory/1344-60-0x0000000000000000-mapping.dmp
memory/1756-61-0x0000000000000000-mapping.dmp
memory/1716-62-0x0000000000000000-mapping.dmp
memory/1768-63-0x0000000000000000-mapping.dmp
memory/1240-64-0x0000000000000000-mapping.dmp
memory/1592-65-0x0000000000000000-mapping.dmp
memory/1648-66-0x0000000000000000-mapping.dmp
memory/364-67-0x0000000000000000-mapping.dmp
memory/396-68-0x0000000000000000-mapping.dmp
memory/1472-69-0x0000000000000000-mapping.dmp
memory/776-70-0x0000000000000000-mapping.dmp
memory/856-71-0x0000000000000000-mapping.dmp
memory/1016-73-0x0000000000000000-mapping.dmp
memory/904-72-0x0000000000000000-mapping.dmp
memory/1888-74-0x0000000000000000-mapping.dmp
memory/1004-75-0x0000000000000000-mapping.dmp
memory/1036-76-0x0000000000000000-mapping.dmp
memory/1456-78-0x0000000000000000-mapping.dmp
memory/1756-77-0x0000000000000000-mapping.dmp
memory/1680-79-0x0000000000000000-mapping.dmp
memory/1448-80-0x0000000000000000-mapping.dmp
memory/1604-81-0x0000000000000000-mapping.dmp
memory/1588-83-0x0000000000000000-mapping.dmp
memory/1528-82-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe
| MD5 | 518c6c985ad165ad8b798039e55b0a16 |
| SHA1 | c1c3b16164dd9705d70289bbffb3d8a60ca48ece |
| SHA256 | 5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761 |
| SHA512 | 5ffefe4533f15e013593358d4fb872ba6959d6c7be89ee7dc0c95a4fb8ec5004266173c59d24ec99b239cf2aef79a69a5c1c6e8099a7443bd765cab61a922be3 |
memory/856-85-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe
| MD5 | 518c6c985ad165ad8b798039e55b0a16 |
| SHA1 | c1c3b16164dd9705d70289bbffb3d8a60ca48ece |
| SHA256 | 5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761 |
| SHA512 | 5ffefe4533f15e013593358d4fb872ba6959d6c7be89ee7dc0c95a4fb8ec5004266173c59d24ec99b239cf2aef79a69a5c1c6e8099a7443bd765cab61a922be3 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-05-28 10:43
Reported
2021-05-28 10:46
Platform
win10v20210408
Max time kernel
38s
Max time network
56s
Command Line
Signatures
UAC bypass
Deletes shadow copies
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\ResetExport.raw => C:\Users\Admin\Pictures\ResetExport.raw.ecBdaedEe | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ApproveOptimize.tif => C:\Users\Admin\Pictures\ApproveOptimize.tif.ecBdaedEe | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CompareRename.tif => C:\Users\Admin\Pictures\CompareRename.tif.ecBdaedEe | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CloseResume.tif => C:\Users\Admin\Pictures\CloseResume.tif.ecBdaedEe | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PingInvoke.png => C:\Users\Admin\Pictures\PingInvoke.png.ecBdaedEe | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ReceiveUnpublish.tiff | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ReceiveUnpublish.tiff => C:\Users\Admin\Pictures\ReceiveUnpublish.tiff.ecBdaedEe | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ReadResize.crw => C:\Users\Admin\Pictures\ReadResize.crw.ecBdaedEe | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResetRepair.png => C:\Users\Admin\Pictures\ResetRepair.png.ecBdaedEe | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResumeConvertFrom.tiff | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RestartUse.raw => C:\Users\Admin\Pictures\RestartUse.raw.ecBdaedEe | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResumeConvertFrom.tiff => C:\Users\Admin\Pictures\ResumeConvertFrom.tiff.ecBdaedEe | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe
"C:\Users\Admin\AppData\Local\Temp\5d41ca42ee12076258175a571521067e95d54e5cb3aecee46915c60a23aa1761.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 10.10.0.1:445 | tcp | |
| N/A | 10.10.0.1:139 | tcp |
Files
memory/2116-114-0x0000000000000000-mapping.dmp
memory/2872-115-0x0000000000000000-mapping.dmp
memory/508-116-0x0000000000000000-mapping.dmp
memory/2732-117-0x0000000000000000-mapping.dmp
memory/3164-118-0x0000000000000000-mapping.dmp
memory/1972-119-0x0000000000000000-mapping.dmp
memory/656-120-0x0000000000000000-mapping.dmp
memory/3716-121-0x0000000000000000-mapping.dmp
memory/3444-122-0x0000000000000000-mapping.dmp
memory/2428-123-0x0000000000000000-mapping.dmp
memory/4088-124-0x0000000000000000-mapping.dmp
memory/4024-125-0x0000000000000000-mapping.dmp
memory/2876-126-0x0000000000000000-mapping.dmp
memory/1284-127-0x0000000000000000-mapping.dmp
memory/3412-129-0x0000000000000000-mapping.dmp
memory/2268-128-0x0000000000000000-mapping.dmp
memory/4172-130-0x0000000000000000-mapping.dmp
memory/4192-131-0x0000000000000000-mapping.dmp
memory/4248-132-0x0000000000000000-mapping.dmp
memory/4328-133-0x0000000000000000-mapping.dmp
memory/4348-134-0x0000000000000000-mapping.dmp
memory/4464-136-0x0000000000000000-mapping.dmp
memory/4448-135-0x0000000000000000-mapping.dmp
memory/4508-137-0x0000000000000000-mapping.dmp