Analysis
-
max time kernel
90s -
max time network
99s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 17:29
Static task
static1
Behavioral task
behavioral1
Sample
Muisvc(unpacked).exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Muisvc(unpacked).exe
Resource
win10-en-20211014
General
-
Target
Muisvc(unpacked).exe
-
Size
1.0MB
-
MD5
dee33a5b0f93ffbf6c5da9e376b89c9b
-
SHA1
e5c0415345340ccec55c6e79503296a846db7a70
-
SHA256
b654cc6156b8cb72642d97672847401552bf72b208d52047b2697612ef3107d1
-
SHA512
9ff39cbd360eca2adafd44f60064da2b6d7e1961599ef28de97d0582725d02c4a81e6429e2a9d33f389d175fb12136d190fd4d2188a44d50d02b2f1fede241c8
Malware Config
Extracted
C:\odt\120860-readme.html
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Muisvc(unpacked).exedescription ioc process File renamed C:\Users\Admin\Pictures\SaveExit.crw => C:\Users\Admin\Pictures\SaveExit.crw.avdn Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\SendConvertTo.crw => C:\Users\Admin\Pictures\SendConvertTo.crw.avdn Muisvc(unpacked).exe File opened for modification C:\Users\Admin\Pictures\TestMove.tiff Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\DisconnectInitialize.png => C:\Users\Admin\Pictures\DisconnectInitialize.png.avdn Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\RedoDeny.png => C:\Users\Admin\Pictures\RedoDeny.png.avdn Muisvc(unpacked).exe File opened for modification C:\Users\Admin\Pictures\ShowResolve.tiff Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\ShowResolve.tiff => C:\Users\Admin\Pictures\ShowResolve.tiff.avdn Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\TestMove.tiff => C:\Users\Admin\Pictures\TestMove.tiff.avdn Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\ResumeProtect.crw => C:\Users\Admin\Pictures\ResumeProtect.crw.avdn Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\RevokeEdit.crw => C:\Users\Admin\Pictures\RevokeEdit.crw.avdn Muisvc(unpacked).exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Muisvc(unpacked).exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Muisvc(unpacked).exe" Muisvc(unpacked).exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run Muisvc(unpacked).exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Muisvc(unpacked).exe" Muisvc(unpacked).exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Muisvc(unpacked).exe -
Processes:
Muisvc(unpacked).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Muisvc(unpacked).exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Muisvc(unpacked).exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-941723256-3451054534-3089625102-1000\desktop.ini Muisvc(unpacked).exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Muisvc(unpacked).exedescription ioc process File opened (read-only) \??\V: Muisvc(unpacked).exe File opened (read-only) \??\W: Muisvc(unpacked).exe File opened (read-only) \??\I: Muisvc(unpacked).exe File opened (read-only) \??\J: Muisvc(unpacked).exe File opened (read-only) \??\K: Muisvc(unpacked).exe File opened (read-only) \??\M: Muisvc(unpacked).exe File opened (read-only) \??\P: Muisvc(unpacked).exe File opened (read-only) \??\R: Muisvc(unpacked).exe File opened (read-only) \??\T: Muisvc(unpacked).exe File opened (read-only) \??\Y: Muisvc(unpacked).exe File opened (read-only) \??\B: Muisvc(unpacked).exe File opened (read-only) \??\F: Muisvc(unpacked).exe File opened (read-only) \??\N: Muisvc(unpacked).exe File opened (read-only) \??\O: Muisvc(unpacked).exe File opened (read-only) \??\U: Muisvc(unpacked).exe File opened (read-only) \??\X: Muisvc(unpacked).exe File opened (read-only) \??\A: Muisvc(unpacked).exe File opened (read-only) \??\G: Muisvc(unpacked).exe File opened (read-only) \??\L: Muisvc(unpacked).exe File opened (read-only) \??\Q: Muisvc(unpacked).exe File opened (read-only) \??\S: Muisvc(unpacked).exe File opened (read-only) \??\Z: Muisvc(unpacked).exe File opened (read-only) \??\E: Muisvc(unpacked).exe File opened (read-only) \??\H: Muisvc(unpacked).exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 api.myip.com 15 api.myip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 3808 vssadmin.exe 648 vssadmin.exe 3756 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Muisvc(unpacked).exepid process 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe 2632 Muisvc(unpacked).exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exevssvc.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 4040 wmic.exe Token: SeSecurityPrivilege 4040 wmic.exe Token: SeTakeOwnershipPrivilege 4040 wmic.exe Token: SeLoadDriverPrivilege 4040 wmic.exe Token: SeSystemProfilePrivilege 4040 wmic.exe Token: SeSystemtimePrivilege 4040 wmic.exe Token: SeProfSingleProcessPrivilege 4040 wmic.exe Token: SeIncBasePriorityPrivilege 4040 wmic.exe Token: SeCreatePagefilePrivilege 4040 wmic.exe Token: SeBackupPrivilege 4040 wmic.exe Token: SeRestorePrivilege 4040 wmic.exe Token: SeShutdownPrivilege 4040 wmic.exe Token: SeDebugPrivilege 4040 wmic.exe Token: SeSystemEnvironmentPrivilege 4040 wmic.exe Token: SeRemoteShutdownPrivilege 4040 wmic.exe Token: SeUndockPrivilege 4040 wmic.exe Token: SeManageVolumePrivilege 4040 wmic.exe Token: 33 4040 wmic.exe Token: 34 4040 wmic.exe Token: 35 4040 wmic.exe Token: 36 4040 wmic.exe Token: SeBackupPrivilege 1208 vssvc.exe Token: SeRestorePrivilege 1208 vssvc.exe Token: SeAuditPrivilege 1208 vssvc.exe Token: SeIncreaseQuotaPrivilege 2436 wmic.exe Token: SeSecurityPrivilege 2436 wmic.exe Token: SeTakeOwnershipPrivilege 2436 wmic.exe Token: SeLoadDriverPrivilege 2436 wmic.exe Token: SeSystemProfilePrivilege 2436 wmic.exe Token: SeSystemtimePrivilege 2436 wmic.exe Token: SeProfSingleProcessPrivilege 2436 wmic.exe Token: SeIncBasePriorityPrivilege 2436 wmic.exe Token: SeCreatePagefilePrivilege 2436 wmic.exe Token: SeBackupPrivilege 2436 wmic.exe Token: SeRestorePrivilege 2436 wmic.exe Token: SeShutdownPrivilege 2436 wmic.exe Token: SeDebugPrivilege 2436 wmic.exe Token: SeSystemEnvironmentPrivilege 2436 wmic.exe Token: SeRemoteShutdownPrivilege 2436 wmic.exe Token: SeUndockPrivilege 2436 wmic.exe Token: SeManageVolumePrivilege 2436 wmic.exe Token: 33 2436 wmic.exe Token: 34 2436 wmic.exe Token: 35 2436 wmic.exe Token: 36 2436 wmic.exe Token: SeIncreaseQuotaPrivilege 956 wmic.exe Token: SeSecurityPrivilege 956 wmic.exe Token: SeTakeOwnershipPrivilege 956 wmic.exe Token: SeLoadDriverPrivilege 956 wmic.exe Token: SeSystemProfilePrivilege 956 wmic.exe Token: SeSystemtimePrivilege 956 wmic.exe Token: SeProfSingleProcessPrivilege 956 wmic.exe Token: SeIncBasePriorityPrivilege 956 wmic.exe Token: SeCreatePagefilePrivilege 956 wmic.exe Token: SeBackupPrivilege 956 wmic.exe Token: SeRestorePrivilege 956 wmic.exe Token: SeShutdownPrivilege 956 wmic.exe Token: SeDebugPrivilege 956 wmic.exe Token: SeSystemEnvironmentPrivilege 956 wmic.exe Token: SeRemoteShutdownPrivilege 956 wmic.exe Token: SeUndockPrivilege 956 wmic.exe Token: SeManageVolumePrivilege 956 wmic.exe Token: 33 956 wmic.exe Token: 34 956 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Muisvc(unpacked).exedescription pid process target process PID 2632 wrote to memory of 4040 2632 Muisvc(unpacked).exe wmic.exe PID 2632 wrote to memory of 4040 2632 Muisvc(unpacked).exe wmic.exe PID 2632 wrote to memory of 4040 2632 Muisvc(unpacked).exe wmic.exe PID 2632 wrote to memory of 3808 2632 Muisvc(unpacked).exe vssadmin.exe PID 2632 wrote to memory of 3808 2632 Muisvc(unpacked).exe vssadmin.exe PID 2632 wrote to memory of 3808 2632 Muisvc(unpacked).exe vssadmin.exe PID 2632 wrote to memory of 2436 2632 Muisvc(unpacked).exe wmic.exe PID 2632 wrote to memory of 2436 2632 Muisvc(unpacked).exe wmic.exe PID 2632 wrote to memory of 2436 2632 Muisvc(unpacked).exe wmic.exe PID 2632 wrote to memory of 648 2632 Muisvc(unpacked).exe vssadmin.exe PID 2632 wrote to memory of 648 2632 Muisvc(unpacked).exe vssadmin.exe PID 2632 wrote to memory of 648 2632 Muisvc(unpacked).exe vssadmin.exe PID 2632 wrote to memory of 956 2632 Muisvc(unpacked).exe wmic.exe PID 2632 wrote to memory of 956 2632 Muisvc(unpacked).exe wmic.exe PID 2632 wrote to memory of 956 2632 Muisvc(unpacked).exe wmic.exe PID 2632 wrote to memory of 3756 2632 Muisvc(unpacked).exe vssadmin.exe PID 2632 wrote to memory of 3756 2632 Muisvc(unpacked).exe vssadmin.exe PID 2632 wrote to memory of 3756 2632 Muisvc(unpacked).exe vssadmin.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Muisvc(unpacked).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Muisvc(unpacked).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Muisvc(unpacked).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" Muisvc(unpacked).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Muisvc(unpacked).exe"C:\Users\Admin\AppData\Local\Temp\Muisvc(unpacked).exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/648-119-0x0000000000000000-mapping.dmp
-
memory/956-120-0x0000000000000000-mapping.dmp
-
memory/2436-118-0x0000000000000000-mapping.dmp
-
memory/2632-115-0x00000000013A0000-0x00000000014AA000-memory.dmpFilesize
1.0MB
-
memory/3756-121-0x0000000000000000-mapping.dmp
-
memory/3808-117-0x0000000000000000-mapping.dmp
-
memory/4040-116-0x0000000000000000-mapping.dmp