avaddon | b654cc6156b8cb72642d97672847401552bf72b208d52047b2697612ef3107d1

General

Target

Muisvc(unpacked).exe
Size

1.0MB
MD5

dee33a5b0f93ffbf6c5da9e376b89c9b
SHA1

e5c0415345340ccec55c6e79503296a846db7a70
SHA256

b654cc6156b8cb72642d97672847401552bf72b208d52047b2697612ef3107d1
SHA512

9ff39cbd360eca2adafd44f60064da2b6d7e1961599ef28de97d0582725d02c4a81e6429e2a9d33f389d175fb12136d190fd4d2188a44d50d02b2f1fede241c8

Score

10^/10

avaddon evasion persistence ransomware suricata trojan

Malware Config

Extracted

Path

C:\odt\058684-readme.html

Ransom Note

<html> <head> <title>Inferno</title> <style> *, :after, :before { box-sizing: border-box; } html, body { margin: 0; background: #000000; font-family: sans-serif; line-height: 1.5; color: #777; } h1 { margin: 0; font-size: 2rem; } h2 { margin: 0; font-size: 1.4rem; } h3 { margin: 0; font-size: 1.2rem; } li, p { margin-top: 0; margin-bottom: .7rem; font-size: 1.1rem; letter-spacing: .02rem; } .logo { display: flex; justify-content: center; padding: 1.3rem 0; } .title { background-color: #ffffff; padding: .5rem 0; } .title h1 { text-align: center; } .title h1 span{ color: #000; } .description, .attention, .cc { width: 900px; max-width: 100%; margin: auto; padding: 1.3rem 0; } .copy-btn { opacity: .3; cursor: pointer; } .copy-btn svg { width: 18px; } .copy-btn:hover { opacity: 1; } .link { cursor: pointer; } .link:hover { text-shadow: 0 0 3px #828282; } .identity-head { display: flex; justify-content: space-between; } .identity { word-break: break-all; background-color: #e3f5eb; padding: 1rem; font-size: 1.1rem; font-family: monospace; margin-bottom: 1.3rem; } .attention p { text-transform: uppercase; color: #dc3545; text-align: center; } </style> </head> <body> <div class="logo"> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="250" viewBox="0 0 200 250"> <image width="200" height="250" xlink:href="data:img/png;base64,/9j/4AAQSkZJRgABAQEBLAEsAAD/4S/wRXhpZgAASUkqAAgAAAAHABIBAwABAAAAAQAAABoBBQAB AAAAYgAAABsBBQABAAAAagAAACgBAwABAAAAAgAAADEBAgANAAAAcgAAADIBAgAUAAAAgAAAAGmH BAABAAAAlAAAAKYAAAAsAQAAAQAAACwBAAABAAAAR0lNUCAyLjEwLjI0AAAyMDIxOjA5OjA5IDE0 OjM3OjU3AAEAAaADAAEAAAABAAAAAAAAAAgAAAEEAAEAAADMAAAAAQEEAAEAAAAAAQAAAgEDAAMA AAAMAQAAAwEDAAEAAAAGAAAABgEDAAEAAAAGAAAAFQEDAAEAAAADAAAAAQIEAAEAAAASAQAAAgIE AAEAAADWLgAAAAAAAAgACAAIAP/Y/+AAEEpGSUYAAQEAAAEAAQAA/9sAQwAIBgYHBgUIBwcHCQkI CgwUDQwLCwwZEhMPFB0aHx4dGhwcICQuJyAiLCMcHCg3KSwwMTQ0NB8nOT04MjwuMzQy/9sAQwEJ CQkMCwwYDQ0YMiEcITIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIy MjIyMjIy/8AAEQgBAADMAwEiAAIRAQMRAf/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkK C//EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNi coIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SF hoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn 6Onq8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQE AwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBka JicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWW l5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29/j5 +v/aAAwDAQACEQMRAD8A8ZXWNV8hnGoXgxzkysc8/Wr0fiO/aMH7Xc8fexKTWXbyKtu6kjbtIyaq I5Ugr94UAdSmu32Fxd3LEnP+tb/GkuPFN7ECI7u4Ge/nNmsCKfA445qCTByxIye1AG7aeKdYe9jD ajchSfu+e2P511K32oucvqV0oIPC3B/TmvOY2Ak8zHII4rq7C48+2WQkg5Ix2oA2/tuo7UZdTvME kD/SDTo9W1JJtr6lOw/67t/k1RSYlTwR834dc08zRgYUDO7PJ6igC62oaxJJ+51C5wc8CY/41G2r a3Dgfb7o+5mYf1rP+0tGwZX4B55qSW9llKqzg56EntQBaXWdaZju1C6BIyMTt/Q06PWNWyf+Jndk +879fzrMkkdnYF2GDz0/SmLMyuAX79SKANN9V1kcNqd6p9PtL/41EusazlgdUvWI4/4+X5/Wqzyj PDY55J74pziRyCMHd3IFAEra7q4yF1S+Bz/z8N/jUn9v6s0QB1S8BH/Tduf1qlPG8a7yVHXBHeoQ QSDt3H07UAaP9u6yF+bVLwdxi4bn9asprGtOwA1W9JZf+fhhistQjsNxxzkYHIp7EE9WwvJ2nigD R/tPX1jz/a96TnP/AB8NkfrS/wBtay0h3atfAA4GLlx+PWsjOVIXLM2cAkU57WRxvMnznjg9vSgD TfWNd3ZOq3u31Fw3+NOttZ1ogmXVL/rx++fP8+lZceYpDly+89MnirB2sxAYg9sc0AaZ1rVWH/IT vtxPTzmH9ahkvdaLbhrOoKM/dFy/P61Riy4CQ+ZI/wDGOtPljltiqXDqrHkAMGI/L/GgC3cazrCj Karfg88NcOOPwNWYNb1IRDfrOoA+13J/9esqWMzAFZNygE7pB19qgtvLSM+bJhicjahIx+dAHHWq kRqxHGc49cGoACzNgYB6VegI8tSqjOWAHrUJjKXDqvQcUARKoiYo45BwaRwCchTtq1OoMzAjaw6g 01VJQgZ9h7UAVwpIwPx966PQo2uLaRmwBG3PHP8AnisTYViGOcnNdV4dgjWzl3HYTzkmgB6oSg2/ LzjAp32bcSyuMt0HU4q4beMOHBwCCMZ70jqPOVlOFXGRQBSubURhCOcYz3zUZhhljQgkYJHA61oG NSeXDCl+zwuDsUdOmaAKSqu1QAcexprRRg9GYdCc+tTyQHcm3OKkFtGAA5w2eSKAInjhdEUgA7cY z19zThkxgL94Dt6dR/OpDBCMBQMdAe561Fsfz1cAbeP/ANVAEdxGzKCTliPTpUNtG4lHOcnuKuvE 25fm9zziljjLk5A3A/LQBHKqFcBOaUptZSwBBwSO2KvrbbYxj5jnHXpUUm0jGcGgCqI1jfzI9obH 8Q5NAc7/AN2ByOfyqRlR3BbOPX1q/Y6U9xcRxSYSXBYL0JHqfQUAZot5bqYFEEj+g4xV+O2toI2k uHZpd2FiQ8fjVy4uo7EC3t1AXGHlUfyqgfJEbSO2Mc7mNAA80zxlICEiJyUUY/8A10SWe9Aqqrc5 PH9at2sVr9mWYyfeBOeoNRTDP7yGUA44BNAHPPqkcN7OhGIlG38cVhT6xIZmweMnGB2qjI8qu7M5 J6HnOaZuVfvgZPPNAGnYL+7TG3O45J/Kk1K1NsY5WOd2M46GnWuXtxg4wc881q6xbNNpqbQCQqyZ XsD60AYFw4M5I46E/WjcFj+/hu4FMOQW39e5qN2VFIGCCc5oAswEAPjkgfKM9K6LQHL29wHOcEfe rmQ6iMOqsCMd8V0GgHe8wGCWjBxuxQBuyGIJw4YgA4HAHP8A9aohIXUZYfNjgnmnSQyAKpAAAAPP aj7O6yKAQvZhux0oAAgx5hICg/KMdqY8OeARk9DnGKti3eKFBGpPGc7ulI1s6lW68c4J70AZhZ0k GZMD061ZP75s7uemDmrEtsOijgDutPC7wAU7ZGDQBUltWT5wpIznk+1EgYugUFQSPmJ5x2q26SM+ wsApGMlsDNDQtEQwGQPfv0xQBWVYw2XUHAwSFq5EkbyDBXtzioGM2GO4upOecfyqaAs2fu9RxnkU AWEwOpOR0xVV4sZ3R854I5OfStAD90UeFf8Aexz+ApYLMsWmlQ+RGeT/AHj9f8+lAEVjbCRd7AKq /emccD6e9SXl6gLQWcDRqWBlldvmkGBxn8/rmop5pJ5MHCxqSQq9B14wKgMZZioViM/j+FAEXksW UtkjFRarJHFpxIjAJYDLtxz7VcjhUOwYFs9ODis/xFCi6eBMh+ZxjjHfpQAmjF5rERkZZXPbt2q5 cQRxxszDBxznpVLw1M2XiQAFl7sTj8ulXtXkkgsrjfsKqhbIHXA7elAHmkp3DcVAyajYHdyAferL lptoAXjAGPWlYyI7KCF56DHFAGnpyqbd1KkqQcnOP89K10X7XpoIJOE2Dn0rG0x1RAssvlJ3ZV3M eOOK3LbVNNtI0jht55WbiQ3D5U/Tbg/rQBzHlOkhY5Jwck461EI3mbZGrSP6BSa6WfXILJ2S3t7G MvkktaK5X6M2TUtn4huZIZEGsTRQkcxK+wE+wAxQBgwaNrU2ww6bdyYPG2Bjj8hXTaHoesQ3Dy3W nXUSFAAZ4WUDnpkjFalppM+pWoktdQlmAGdu8Er/AIVsaV4W1qC6aWJ7hdo+Untn3/z1oAxpUwFR cjaMN0NQYkSY5LjHTIzz/kV2NymsMPOmtY7wRjazXEe49uM9eh6isad9KE0L3unXVsHXIa3l3E++ GBoAz1ZUQFiSW9BUay5IL5JPQcHFXY4tJuT/AKPrkCMW2iK7h2n65Gf5VJ/wjGosjNEIrmIYKyQy gqfbsaAKmD5YUFjlSRxxmk3ImGKoVA5VuR+Vadn4c1q7tp5raxaSKMNubeOMegzzWJtks/MW7jZG VfuuMEHHpQBJJdRkkRO2O6jp/npUDzSxkuSVC52gKBj06U1poGIMayoP9rpn246U6X53LpGCuAME HJxigCMTytxk8tltvFTC4kL5jbaPXA5/SmCKeRxCq7S2AvapNiJMIZLgIif60qRkewoAuxI91Gkt xORGDgDGNxH0q5qN0EhitYt0SqAzKvHJHAPP6+/0qml157xeRE8duGCLuHUZA696df8AyahLhhgS EBeuMcDqPQUARqCCgO7I/hB7flS25/0gDOeSfu5H86ikznCYIPGT2pofA+SXGCScnAoA1IsCQgPl s44jHzCsfxQpOjg7FwsqAOCM8nv3q7almnMZY7ccHGRXP3N+914cuPNBd4LsrnGcjNADbK4Nlcq4 w0f3VH97/P0rRv7mS68M6jJMI8r8qgcnaemK5dZMOSM/eBUc9auS6qiaPf20qZM2zyyOxDDP6ZoA wUAhnVupI6MTj8cU5kQzS74RI28nKvgD2qMyRiUbSSpx8rc1cjVE3DYx5znjuAaAGxIhUq3J68Hp VxINyxME+QkgZ46VRtnUR4J3Z68dPeteB/NEaxElQAQTzQBn6jaIkayLu4HzE9KzY2B5xxXTalGz ac6En5hkYHcVziHbgFchh1PagC5Z3DWySSRySK+N2EYgcfSvRPCfxHvLa6gt9UPnW0ihCQPmX3z3 rzSIEyGLALE8GtO0/dyAgBcDbn1A/wD10AfVVo1nPBFcRKH8wDDDH5/yqLUdD028VhPBHhhkAdK8 68G+IWWzaKeYLDBySx6qc5H54/Otm41fVNdCppxkgt0JHn45k7YUf1oA5nxNomlRyS2VpbpcTKTt WLnA/DpWHY+GNU0uEXd5q5s4U/5d4m3nB/T+dem6f4RuYbYs5jj8z5mwPmz6se9YHiPTm0bZ5n71 JBkk8jP0oAqeDvGN5HBdQQ2jPC7lI2k4+Yetchqmof2lqF1cg7RJIzDsMZz0rctr8aFq9lblN0IG +Y7clWckn9MfnVa806CbUJrexuF+zOxMRxyvcLj0zxmgDBgt5Lm7SG3Yln6bztHHv6cV0FpptvBb me7aKaZy2yKFi2AAwB/PH86qeIVtbC1mMm65u3XhFOEjGcAnHU57dK3fANwFtN7rBcLt3qrRgvHI VUdeyjcT+FAFKxu7eS6fT4bRpGYblEx3EE4GfQVk+IdKvLbX2tdSeN5mt1kBUcbff1PvXuKafZWc UNwtjHJOeTLtHU88n8a8R8ca1/aPxLu0QbfLtvI4Pcc0AO0Dw5qsytNYpJJaJIONw2kjnGCc0mpK /wBvn82NopTIzPGexJ6V6Xoc2maZoNvbRXInYJ0HHXufWuf8X2FgNKN23/H6uwl0XqOmCe9AHEq8 owFHyqMnjJ96VVBboQi4JHoaEnAXf0LcYNLHkuUDAA85xnigCxCwiwe55wTXFm4bbc2/mIY5ZNzq OcEGu2gh+Zv7pOBx1rgJwqXMitgDzGGMe9AFmOBCyljjaCTnjpVa5uVkLeWuIE4GOpNXp3H2KWRh uymB6ZrBZh5YQZz60AS23lveAE8MDgEZHSrc5W3dUUgAqDxVWyjD3SZ49MVpAuOJYwWAAG4YIA6U AZsRDrtXI47HNb/h7BmQSfMAGAYdDjpWJAiqrF0IUAYx1zW1okipKWEYDLkjd7j0oA6OZI5HZGQM MEDiuDuIkiv3VsgBi2M9q7ZMYC5ZmQ8muY1e1VdTkQgDeO5/WgDPjnRC5ViSDx7/AFoS9Ma5bBPI HHQE0LEcNIigjI6DpTZRbbGVOXJBzn36UAel6NNp1vYm71Vv3BCbYVOWmIGdvsOhP/166m1+KNnp 75fT3htQPvHG4D2AryxL+J2s4Cu+SXIyBgDHt71X8Q+ULRI43+cvkrnpQB9M6R4hstd0+O6srhZo Xzu7Mp9CK5TxwxvriwghG8GTY474/wD1V5f4F1ubQJ7ebzG+zM2ydexT1/DrXoxu11LxYiWhyVUy gk5BwMfrmgCG404FHv2iDB5Nm7pwAFHPpxWTb6Mlj51+biIq2ViRGJKdMD6+1euSaPHPo62uwAKm DjpmvCdXFxaX1zaxTSNbwyHagkIBwf7uce1AGYbp21e6Ow/YZI2gbceSRnp+J/WnaTqkVi621tMY yIiHO7A69D+lQ2dpPe2YlbPktK21HJwCxGSPXirsWjRP9rgkTa+1GDADIG0AfTkGgD0rwn4st73T 79dTdGSKJpFdzhcgdP5V4lFcvceMYtTnibyrmckDsQeAM1JfXsmwaalxtTH70g9cdjXceB9H0/Ut Ptje5EYYqjhcfN160AeoXdjqFpa2T6Bb2bwSRqJ4ZAASO/zdjXIeLvE0et6defZrUC3tYgjqQBhy 2M/gcfrV7XdWutPiS0kt3hlhjMkN4jBtxx0I6EV5leX888YLhQp/hQYHXqRnmgCtHcBiPNjBBOdo 4yBU8co84bXOW4Pt7VXLZOSuR6+lThmLgRYyvHTigDVSLfPhWHloc5zjmvPrnBvJyFLYduPXk12l qztLtZ0LAcAAnmuPZSbxgPvCQ/Tv19KAJLlHt9AUOcs77qyMlgshXt1rcvlefTIoSPmBJAA5NYlw uzCnoACMdOlAFnTJQJSSMsikgg9AOta0oeYhzDnOcEnryay7G2LbiFKgpyRz1NRPNdo5VZN+OpJx QBICFHygnI4H+Fa2nb5CBhMMuAAc1kwuODjaGIwQP0FakE5ieMJyMk4J/CgDoYNyAqkbE5yeayPE YQTW0uQhYFCCMZJ/D2rctmMuWVei4J+lZfiWNn0t3wdyMDk9hQBzEsbJG6FPmz8pB6UyGB3D4i5z ndn+mamRWkttoOBjngYP41ZtontondgoGCwwMj3FAGehmtrxWkILRL8ozjjsf1p0jme+dpJWZd2Q OtMui7XkpdQpHO38P/1UxnUTK3yAf7tAG5pLSNL9lXIhwSBg5B616J4e1i306IX10DNPboixxggF gCeM/TFeX2M6xX8SxNuznI2+xrsrO+Q6VFAoYXEchkLjg4x2NAHZp8VdTvXZHsYoUcbV8tiShPrn r+GK5q3M2tXgsn2bsF52xyE/+v0q7eaM2q2aXTOxvHjysokGW93ypJx68GsXS3Ph7U7mG6ulX5Cx 243Nk8DoTn3oA6SSOG0jAUKsERDY3AOzHgDjpk1Ld/8AEpvtUzGWN5pqTmOKMvwAAMemDznPGayh qdrqNtC4gCwCTcmW5dhwGJ9fb3NaN8dWvdZvZLSyVtJuraOya4IDHCYJx6c4J+goA8rit3yxRS5b JGB0/Ovo7wPpkNv4I06BzuLxibDc43ckdK8h1HQGs9RKpkwyrkZwWz/nNe8eGrmz/wCEbht7Zwgj UKuMBunUigDkvE+nSTpFZwH96QfJO0HC9OcsDxn0rGuPCdrpNjH5yR3krYWQtN5ZBI4C9ge/zHFd V49s86F/acThby2HUtwVJGT7Hv8AhXk8+t3l8wE925UcBVP8/Xp+tAFS7hj+0zbEKRFjt3n5h7Ht mmxKyMgV1JyWweOO1WbO3udSuhb2cTSvyeBz+dT3OkajYeU15A8PnEhBIRn8R1H44oAhKzedndhC QcqMVxU0Li4cF0y0jfxdOe/evTrQR26YYiQgZJDdPrXI+K9Ph069tri13NDPmUjAwp9vagDOkVkt gTKpCqRwf/11jiMvzLKu0jAUHr/hWs8vm2EbqMksc9qopC7xRk5Dh8EjtzQAtoj7nUkkDaCDxn0q e1t90RMIQpnq+Cc4GfwoxtS6dHLjeApx0xz/AI1bhaOJSqRhhnJO0nmgDDhchFAYdh0ye3ep0kaO ZQzkCq9rgx7BkgHsPar0MZaXy9oXcMjIzQB0OnzHy22sWBII+lSaoBNptyg5LJnJGMGqGmp/pax4 I9q17qECJo2BKkHpQBw9tMWjXfhgMbgTjNW3uC48qQheNvy+1VQlvG8uB0YoB1pYYvl3ZBBwTjv7 UAVb1gbyQnc2cFfpgYpJW2zkyYOMDj2FWH2SybjyVCjim/Z2mJ2LlgcYPIoASyUfbo3cZBGeB7V3 Hh+1hv7e4KvMsnAIVAQvv7/QYrk7SNUnt9+AApyx7Hmuu8OT31vO09hCJEYBZAy4XHrn1oAuPNda JZ+TNP52wnynUkDHYfWtXw74auNU1ZVvUjlNwvnu+4HHYAEcgDIGKxfErNNq9rC+BwZDs6exP61t Qarq9lZi9sYd83VmYBSV4GB/hQBf8YeA7fR7KCSzSdXa4jUfZweSXGTt7/Lu/Sp7S4vNLt7SwZHE Jt/MkSTKuzHPbtj09xVm28aXk9pGLuHyzGOCUyAe38v1qK4uojDaS3t0yGRTIG3AkZ5xj0oAq3UC DS43uP3s07BIicjpznP0xXX+GbcxW6WpDxvE2Gw3DcdvavPW8SyavrtuLbaLC1dVLOMKuCOAe54/ WuiuPE+2+863dY4MYbd1H0+tAHVeJrSTW7ZtMYMLZiC54G7byAOelcrbaP4e8O3EbzSW4kVuEJ3Z PbJ6/rVHUNfe3sBJbZu5ZHIZ2kwEPUDFcdK9xdTyzTMzzSHLAdvpQB6Ve6tol/cp5hCT7Svnx4Yq MAHGenFc9qesywWIslmS+sGV1DlDuYbeM56EHHIrnmsJ0YNsYkjJx6UggkTBZiI/7p45oApX2oTQ WEyQoFkdcFj7mjSA194f1S3JJWOIMoYZ2nnkVU1LLjB3Jkluew6VLoUMsOm6jIrkqY8HP4/40Ac+ Mw2km52y3X69zVD7UXeNByM9WrQu4GECosh+YjAx3qpHYlpYmY4yT06cUASW8oS2JILSFyeenA71 Ya/w5IQDOD8pODx1qRLMmHajAtnlSuOcdKiNnMDxsYnrkZwaAKVqrLHjPft1rQt4pWIJ24XBx3NZ MQLBdxY+mD17cGr0RMZyZCAV+oFAG5aSf6Urtg8jJ9q3XjD53E9OlczZvlRt+9wevUZrogAyIykn OSPWgDir63W31i4jBO0kMp+v/wBekitma5K7goC4b0J/zirfiCPZrCM2RlBjBxUKsIpoioJ5DH07 0AUJomjZdpySvfqOvH6Uo4Xf0HQgHGeKlvMb1dg2CgII5GSxqIOmcLkjHPGccUAXNMx5sAxvdwfv fw8n+ldv4ae8Dy/KDp8jgMoThcdx6VxWjxKss29d7eSQqk42nI5/z613mhJfRaO7Ft2nkEPwflYD 1oAraklxf3NxNbREgKyovUhR34rqPC88lxpkNndQoZACoKLg9eM598flXO6XFLF5F/bTyQoRtlwv 38n7oNeg+HLZ5pjc3JSKJJGKZHQk5/LFAC23hKTxCry3UrwWXBQQgZkbOCfp1/Os34heHtE0bw+L iyuJFu49q7JG3GQfj0/Dsa09Z8UwabAlvaYDv/qwsmON3GeePr6ZNczDbXniK9g1G/sVu7Qho1R5 fLQnruOf880Aef2txsjWEBjGx3SLuwG4/wDrVsX94t2kIitVhjXpsbOfequsJaf2jtitDZlWKSQK dwUg9jVSRQrJ5Ttj7xABoA1I3KhUXBGOgqTyjCFZmzwc457Vjz3htdKuJGYHdwvHOfam6dclrNPv HkgnOKAOhGozRDMMhGBjnsKmtNTkaRjcMvltxjb+tZilsq6ncACBjnHXGaswGJoy7PtyORjrg0AZ OvXCPqjrEQ6j5Qegq3pdux8K6hdlwVDrHtHU5rEvJDuycgHqcdaltrwLodxb8+ZJMGwOwAHOaAKt +u6UBJANo+XmkWLDW27bwh4qBEGVjJLMck/Sr2S7wbuNsZGQPegA6kuuNwcBcHqR1qlcybJyqs64 6++ef61qLAEhBXBI3A9sHBwarSw7JGG4jnpxx2oA5+3yu1gMccMBn/PSr0W4MeWI/utx+VUbdi0Y O5h2znp71YMRaPeGLkNkYHP4UAa9rKo24X5D1A4NdHBcIYthKhgflwQMjHauVikEKoUIfnHQc8dv SulgVRaRy4UZUA88mgDG8QwmWe2dgxOCOO3Tvis9JJI1SNcHJ6dSevr+FaviYNDb28xOAJdoUDjG DWIGTzfO3KeAwA+o65z6UAQXLqsjKFK4AK8e5PP51Cp8mbvkHbgjAbmrV28jSSKAoVhlemPrz9ad BYSwGGa42DDZHmNjf6e+DxQBbhSW3sJnWJ9zHLkLjy1z0P1rtfD32x9Ju7eKXdatGS4K/cOOORUv iF9Ms/CCSRPaS3szLPcbGAJP90KACB7Vn+GbqW8iSKxkigbOJQThSPcUAdDZQ28Wlyt9oeRIQJFX AIDY4wTXEw+ItS2Srb6g/lBsje65bnA5I5IFdh4VmlGo3GlzoiqXKkE4J44PXpjtiuNu9KewvJrK e1EckBIPlSHDH+9nGcEdPrQBZnv7q9VxLMkZIJMMSAucKOpGTg8Zx6dBVuXWJJIoGW6VJEjx5CFl AweBz6gD0rLjufItxDCrhS2AMkZ/TmhSvkK8dtaOWGG3DPpzjHB6+lAEktwtzdPczxHfI25scD8K vQtZTP5ckcscjY24IxUNpb2whYtsiyN2xI5Mf+hda0LCzt7qUZeFlbjzEjk3fpxQBzvjGOK2t7aN JSd7bsbTx+PerWlQRtYLIWVFDgMTnuM8YBqHx7HFHc2dtCkaso5CFiT9d3T8Kk0G7msZLf55Ps4b MirJjcenfigDo4bOAgCKdXb7pQZJ5+oFPNlb2umXcssNwjBSAHjIHpx9Kn+wWHnb3ldjIR8ruFJz 7Y/z2qPVrP7FoRmWRtk21eOAVyD9O1AHJMu/d8nGQRzxTXtXCFmySwyvtTmUO26OQgjrkdOKC5ET sxB3jtnrQBkzwhRvcnkcDP8An9a1/LkgjgkAO1ohg4Hr61kXnzzJCOTuwQo5+ua6rUCIbO1TccKO vXORQBnW4jdTuY8k89ec1Quz+/JMSMT1O7HfFW7VlbeyKWRn5YDp6iquoWzLcKQCAyAjGaAOfiBU lfbp6f5xVtZCoBZsYwRj3qAR5mJBwoPGfzxVnyY+OCST24oAuRzAQg5XqC1dHZXSfYw5O0Llj6mu cSESDZGrfP1zVoTblMCuVQfKoX+KgCn4h1B7q5VXGxVXKqOcmqdiVJZXkb5gEwcj35q3rMbRXNlv 5YxkEk+9UVyJA5Qn58EjuM0APuGSOVEJ3IMAqT94E/8A1v1rp5rEajaxyy7TMXJwBgIgAwOnc5rm 9TQedkA4xwR69vw612VtIBaQs2cY+XA4P1oA5rUIUisnhU7SilzkkknNTeF7iIrdQsyq0i7txwD9 Kivo5pIp2ZgAUbnoMZrBtrqSwZ3VQWI2qe1AHq9uItRtYmt5Et9QtQoBeXDSj+6T/I1s6hYReInh ilIttTCACRwdr5z8rj1B7j171xGkOt/YRzs4jlGCrAdT711cV/emFWf555ZRDG6kErnPT8j9DigD Et/DmoXN1PbT7S8bDCRneTjqc9uO/sRV+XwqbOMyXdrdxKuNuSoPPcjbzXqmn21n4I8PQF42m1SZ jtXGXYnkgeo4qlq3ji50+WJdV0jFrO3y7mU8A5P9KAPMbvShZkOxie2PyiSNMMD6MPWtPTpNJt4R 9qRUcMFB8kHr7hhW/wCI49Pl3z28W22uLcTMOu1s9vzNcj4rNtDpGnyIgWaS6hX/AFQ2nDA9e/0o A5v4hS2kniW3Nuu2JYV4wR3PqT/OohPHDEhAGdvp39ad8Q5YpvFCyDblLeMERpsXOT2pAm+0Uq2N y8nHI4oA9c8MQ2934etHnkWSRlOxXAJHzfXPpWT8TJBYaFY20L7FllyyEYB2jGRyf71dB8PdX0+4 0Wy0ZVD6h8+QFUnaD7+xrlPjNLG1/pVqkQiaKFpHVQP4m74/3cUAeexymQ4ZsAjHyilvJFWNPu9O MiobcccgqpJGOhNMuZImicODwMKxNAFe3eIarAMcAgc9K7TUIA1nudccZ+mK4XDu9u0YXzNwwc8H Fdhb6qbvT5o5ImScKRkjg0AZtmvkrMFwPmHTpzV/+wZLwCUueBgYbHH51mac58lyY2Ys/c+1b9jd PBbBFzjPO4c0AeehSsrDO3k81ZVsbc5Ddcjk4qN1/eyxk5Ic9PY1Ig3IBuXjg4PIoAsLcNCmY9pO CpYjJ5/rUunQkz4YkmMbjz09BVWQKqIMqgB4AGc+9dJ4dsoZvMBfC8Zzxn3oA5TWr0XOoFUxtjG0 Hrk96fazLCqGVv3bDJPUjn/61R61Alnq9zbxbSqyEhvrzj9arABynXd0JNAF+ZVMkflSZVlDHPcK TiuqUs+kIkLBxtxn0zxmuK8p2yArHoPbk/412NmRFoscjNs/dg8e9AGUYmljmj3HcqnYe3PWuU4I A9PWuwgxvli81if4SPpzXHyDY7oOzEUAddpV6sGhs0ZQyQRknJyK6bwVry3NzYzSx7nS5VScZX2G K8qVmVCoYgHritTQdSWznMMzlIZSMv8A3GB4agD274p+KZ9F8TWUwjlEDxNGkyD7pBGQPz/lXHnx DH4ku4UN9JNFD/B5ZyBW3Jrlh4m0uLSdcjLQsihJscoRj5lb8+PSuQ1HwZqvhO4uLvS5xewFCFkg OGUHHLDrQB1o1m21ES6Xby7GTaskkn93sAOw71gfEKJ9N1bQ9L+1+cg2zEjpkkYx+tc54auGt2vZ bgM7cM2/qfWsXU9Vn1K+FzKzZUAR/N90DpQBueM7iKbxZOsfzohRASeSNoP8yatsxW3iiGADwCO2 a5WKdnuY5ZTvdzgsWyfxrr4UildFY/MSP50Adb8Prn7J4qsbuQkx28M8pBH/AEyOf5D8q4i8vLy/ 8uW7naRwAivIecZJxn6k10Frfrp8csiqRI1u8CnP3SyEZ/WucmRdj4zgPt57elACuD5vJBwMZzVW +iWNAN+QRk+mfWpVm+Zs527fz7VBcf6t0Y4z1z6dsUAM0ve9xCQNy5z0xWqk+LwNjbHJJs69CKo6 dzdoFfIC5x6e1LGXN0m5SAbgY9KANSMJHGm1wH5+XHv1rWi4jHzLzyMVm6hGscqlBlAQMg9M/wD1 xVyGFZoUbKoMYALc4oA4a5YpqNxkHiVwM9xuNS2oClTI4Kk56Z3flUV+0aazeZDZ89xx/vVLBkKB jHzAHPB/GgCy8ZOSwDFjzxgY7V03haIkSheCV+QZrn3QSqqEsT3wRmuh8Nh3ikDKAAvG7igDlPEk ZTxFcocA5ByRjsKzWGFVd3IOMY61s+MIlj1zjALxq3Un1rIT5VyV3PwAAaABXkEm3DHHzA57j/8A VXWWm99MtYiSAzBWB9QOlcnKzL5hI/eZOSOwzjp25zW5YSyfYrI5YYmPcY60AMIkt9RkALAByp78 e1c5cgfaZRk/eOPzrotS41m44b1Dccf/AFq5+9IN3IVHGaAICeABSe9KDijOaANfTPEN5YSwF2Nx DCwKxMeODnH05rsNI8ZRKY/LAt5ACGjY5Ug5xj8+nPSvN8UZxQB6tfPpmspJFPCIJSdslxblRxju M4NcBrmhXOi3CrL88EuTFMvKuP8AGobPVprULG7GSPsGJO36V0w8nVtPEJYFJGOGCHKt2I//AFUA cfAcyKFJDEgV1tvFIvltnJ3gZ6965Iq1rdmOTIaN9r49jzXW21zGYA6gcMGIx2zQBYvbuWNpQEEm CAHzzz7VmyXbs+xcHhskeuf/AK1W2lWSP5RgPyQeeueKzVkQTuSAQjBV9PrQBXYSElFXkNjrmrJl XYBIMlckkYzUZVmBOBk9RVR5iXQeXypOAmcmgDQ0ppPtQChsFDnPNXIFdGtI5OT9pyBt7VFpxPmv GBsUrnkdat2RY32lrJlmkk3Z7UAaepRutzBnvkcH+dQu0S7VdZGIHYnj8vfNbetRbJbYLtZfLfeQ OetYqLC4zOyo/wCeR2Oc0Acffqq6xebs5Fw/Ge2afAVU7W6bSMdqi1Eldevcscee+f8Avo1ajRfN H+yDj0oAttIU5AJO31wa7PR2jSOI8AunC9sVyKkEDDBGHbFddpe0pEdp2KvBx3oA5Hx0qJraFSGz Av1HJrn0m2AEryOnPNdR46tlD2dwgwWDIxP5j+tcmFEka4zuJ28fpQAomDOc59uc/nWpbTGAJGSG 2EDI4qla25EcjlSu1wueuOK09LsoGL6hfsRaJ8qpn5pW9BQBOtneateu0Ns0v95ydoH1OcUy98L3 cl5hbiyDuB8pm7/XGKuX+o3F3LCiAwQFPkij4VfrisDV0YFJN/AJA5oAj1HQ9Q0s5u7famceYjBl P4iqDY7c1raX4jvNOJjYi4tm4eGXkMKvXGkWGsRfadGPly9ZLV27/wCzQBzJyOtJnipJoZLeV4pU ZJFOCrDBFR0AGK3/AA7NIZGjBLbBlBngGsDrXTeFrJ2ZpsD5uFz7f/r/AEoAqeIUiOuSyKPKWRVf avY4/wDrVdjCGz65UgYyc5NZmuSxz6xcvGQI1IVcewwf1zV+xBNjHui/3T60AWGkUuDgKpzlQv41 RtrgKZpG4LsTnHTmrVw6RRSO2eVYgj6cVTjyLdVEZDZ5PYGgCyZcOiRsc

Signatures

Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
ransomware avaddon
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Muisvc(unpacked).exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\EnableConfirm.tiff	Muisvc(unpacked).exe
File renamed	C:\Users\Admin\Pictures\EnableConfirm.tiff => C:\Users\Admin\Pictures\EnableConfirm.tiff.avdn	Muisvc(unpacked).exe
File renamed	C:\Users\Admin\Pictures\ExpandSave.crw => C:\Users\Admin\Pictures\ExpandSave.crw.avdn	Muisvc(unpacked).exe
File opened for modification	C:\Users\Admin\Pictures\ExportExpand.tiff	Muisvc(unpacked).exe
File renamed	C:\Users\Admin\Pictures\NewHide.crw => C:\Users\Admin\Pictures\NewHide.crw.avdn	Muisvc(unpacked).exe
File renamed	C:\Users\Admin\Pictures\ExportExpand.tiff => C:\Users\Admin\Pictures\ExportExpand.tiff.avdn	Muisvc(unpacked).exe
File renamed	C:\Users\Admin\Pictures\GrantJoin.png => C:\Users\Admin\Pictures\GrantJoin.png.avdn	Muisvc(unpacked).exe
File renamed	C:\Users\Admin\Pictures\InvokeUndo.crw => C:\Users\Admin\Pictures\InvokeUndo.crw.avdn	Muisvc(unpacked).exe
File renamed	C:\Users\Admin\Pictures\PingFind.tif => C:\Users\Admin\Pictures\PingFind.tif.avdn	Muisvc(unpacked).exe
File renamed	C:\Users\Admin\Pictures\SaveDeny.png => C:\Users\Admin\Pictures\SaveDeny.png.avdn	Muisvc(unpacked).exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Muisvc(unpacked).exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Muisvc(unpacked).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Muisvc(unpacked).exe"	Muisvc(unpacked).exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	Muisvc(unpacked).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Muisvc(unpacked).exe"	Muisvc(unpacked).exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Muisvc(unpacked).exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Muisvc(unpacked).exe
Drops desktop.ini file(s) 1 IoCs

Processes:

Muisvc(unpacked).exe

description ioc process

File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2481030822-2828258191-1606198294-1000\desktop.ini Muisvc(unpacked).exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-2481030822-2828258191-1606198294-1000\desktop.ini	Muisvc(unpacked).exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Muisvc(unpacked).exe

description	ioc	process
File opened (read-only)	\??\Y:	Muisvc(unpacked).exe
File opened (read-only)	\??\E:	Muisvc(unpacked).exe
File opened (read-only)	\??\G:	Muisvc(unpacked).exe
File opened (read-only)	\??\T:	Muisvc(unpacked).exe
File opened (read-only)	\??\V:	Muisvc(unpacked).exe
File opened (read-only)	\??\W:	Muisvc(unpacked).exe
File opened (read-only)	\??\X:	Muisvc(unpacked).exe
File opened (read-only)	\??\B:	Muisvc(unpacked).exe
File opened (read-only)	\??\I:	Muisvc(unpacked).exe
File opened (read-only)	\??\U:	Muisvc(unpacked).exe
File opened (read-only)	\??\Z:	Muisvc(unpacked).exe
File opened (read-only)	\??\Q:	Muisvc(unpacked).exe
File opened (read-only)	\??\R:	Muisvc(unpacked).exe
File opened (read-only)	\??\A:	Muisvc(unpacked).exe
File opened (read-only)	\??\F:	Muisvc(unpacked).exe
File opened (read-only)	\??\H:	Muisvc(unpacked).exe
File opened (read-only)	\??\J:	Muisvc(unpacked).exe
File opened (read-only)	\??\K:	Muisvc(unpacked).exe
File opened (read-only)	\??\M:	Muisvc(unpacked).exe
File opened (read-only)	\??\L:	Muisvc(unpacked).exe
File opened (read-only)	\??\N:	Muisvc(unpacked).exe
File opened (read-only)	\??\O:	Muisvc(unpacked).exe
File opened (read-only)	\??\P:	Muisvc(unpacked).exe
File opened (read-only)	\??\S:	Muisvc(unpacked).exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.myip.com
9 api.myip.com
16 api.myip.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1544 vssadmin.exe
1008 vssadmin.exe
1716 vssadmin.exe

flow	ioc
8	api.myip.com
9	api.myip.com
16	api.myip.com

pid	process
1544	vssadmin.exe
1008	vssadmin.exe
1716	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Muisvc(unpacked).exe

pid	process
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe
2804	Muisvc(unpacked).exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exevssvc.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2040	wmic.exe
Token: SeSecurityPrivilege	2040	wmic.exe
Token: SeTakeOwnershipPrivilege	2040	wmic.exe
Token: SeLoadDriverPrivilege	2040	wmic.exe
Token: SeSystemProfilePrivilege	2040	wmic.exe
Token: SeSystemtimePrivilege	2040	wmic.exe
Token: SeProfSingleProcessPrivilege	2040	wmic.exe
Token: SeIncBasePriorityPrivilege	2040	wmic.exe
Token: SeCreatePagefilePrivilege	2040	wmic.exe
Token: SeBackupPrivilege	2040	wmic.exe
Token: SeRestorePrivilege	2040	wmic.exe
Token: SeShutdownPrivilege	2040	wmic.exe
Token: SeDebugPrivilege	2040	wmic.exe
Token: SeSystemEnvironmentPrivilege	2040	wmic.exe
Token: SeRemoteShutdownPrivilege	2040	wmic.exe
Token: SeUndockPrivilege	2040	wmic.exe
Token: SeManageVolumePrivilege	2040	wmic.exe
Token: 33	2040	wmic.exe
Token: 34	2040	wmic.exe
Token: 35	2040	wmic.exe
Token: 36	2040	wmic.exe
Token: SeBackupPrivilege	396	vssvc.exe
Token: SeRestorePrivilege	396	vssvc.exe
Token: SeAuditPrivilege	396	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3592	wmic.exe
Token: SeSecurityPrivilege	3592	wmic.exe
Token: SeTakeOwnershipPrivilege	3592	wmic.exe
Token: SeLoadDriverPrivilege	3592	wmic.exe
Token: SeSystemProfilePrivilege	3592	wmic.exe
Token: SeSystemtimePrivilege	3592	wmic.exe
Token: SeProfSingleProcessPrivilege	3592	wmic.exe
Token: SeIncBasePriorityPrivilege	3592	wmic.exe
Token: SeCreatePagefilePrivilege	3592	wmic.exe
Token: SeBackupPrivilege	3592	wmic.exe
Token: SeRestorePrivilege	3592	wmic.exe
Token: SeShutdownPrivilege	3592	wmic.exe
Token: SeDebugPrivilege	3592	wmic.exe
Token: SeSystemEnvironmentPrivilege	3592	wmic.exe
Token: SeRemoteShutdownPrivilege	3592	wmic.exe
Token: SeUndockPrivilege	3592	wmic.exe
Token: SeManageVolumePrivilege	3592	wmic.exe
Token: 33	3592	wmic.exe
Token: 34	3592	wmic.exe
Token: 35	3592	wmic.exe
Token: 36	3592	wmic.exe
Token: SeIncreaseQuotaPrivilege	1056	wmic.exe
Token: SeSecurityPrivilege	1056	wmic.exe
Token: SeTakeOwnershipPrivilege	1056	wmic.exe
Token: SeLoadDriverPrivilege	1056	wmic.exe
Token: SeSystemProfilePrivilege	1056	wmic.exe
Token: SeSystemtimePrivilege	1056	wmic.exe
Token: SeProfSingleProcessPrivilege	1056	wmic.exe
Token: SeIncBasePriorityPrivilege	1056	wmic.exe
Token: SeCreatePagefilePrivilege	1056	wmic.exe
Token: SeBackupPrivilege	1056	wmic.exe
Token: SeRestorePrivilege	1056	wmic.exe
Token: SeShutdownPrivilege	1056	wmic.exe
Token: SeDebugPrivilege	1056	wmic.exe
Token: SeSystemEnvironmentPrivilege	1056	wmic.exe
Token: SeRemoteShutdownPrivilege	1056	wmic.exe
Token: SeUndockPrivilege	1056	wmic.exe
Token: SeManageVolumePrivilege	1056	wmic.exe
Token: 33	1056	wmic.exe
Token: 34	1056	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Muisvc(unpacked).exe

description	pid	process	target process
PID 2804 wrote to memory of 2040	2804	Muisvc(unpacked).exe	wmic.exe
PID 2804 wrote to memory of 2040	2804	Muisvc(unpacked).exe	wmic.exe
PID 2804 wrote to memory of 2040	2804	Muisvc(unpacked).exe	wmic.exe
PID 2804 wrote to memory of 1544	2804	Muisvc(unpacked).exe	vssadmin.exe
PID 2804 wrote to memory of 1544	2804	Muisvc(unpacked).exe	vssadmin.exe
PID 2804 wrote to memory of 1544	2804	Muisvc(unpacked).exe	vssadmin.exe
PID 2804 wrote to memory of 3592	2804	Muisvc(unpacked).exe	wmic.exe
PID 2804 wrote to memory of 3592	2804	Muisvc(unpacked).exe	wmic.exe
PID 2804 wrote to memory of 3592	2804	Muisvc(unpacked).exe	wmic.exe
PID 2804 wrote to memory of 1008	2804	Muisvc(unpacked).exe	vssadmin.exe
PID 2804 wrote to memory of 1008	2804	Muisvc(unpacked).exe	vssadmin.exe
PID 2804 wrote to memory of 1008	2804	Muisvc(unpacked).exe	vssadmin.exe
PID 2804 wrote to memory of 1056	2804	Muisvc(unpacked).exe	wmic.exe
PID 2804 wrote to memory of 1056	2804	Muisvc(unpacked).exe	wmic.exe
PID 2804 wrote to memory of 1056	2804	Muisvc(unpacked).exe	wmic.exe
PID 2804 wrote to memory of 1716	2804	Muisvc(unpacked).exe	vssadmin.exe
PID 2804 wrote to memory of 1716	2804	Muisvc(unpacked).exe	vssadmin.exe
PID 2804 wrote to memory of 1716	2804	Muisvc(unpacked).exe	vssadmin.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

Muisvc(unpacked).exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Muisvc(unpacked).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Muisvc(unpacked).exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	Muisvc(unpacked).exe

C:\Users\Admin\AppData\Local\Temp\Muisvc(unpacked).exe
"C:\Users\Admin\AppData\Local\Temp\Muisvc(unpacked).exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2804

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1544

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1008

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

File Deletion

2

T1107

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-119-0x0000000000000000-mapping.dmp

Download
memory/1056-120-0x0000000000000000-mapping.dmp

Download
memory/1544-117-0x0000000000000000-mapping.dmp

Download
memory/1716-121-0x0000000000000000-mapping.dmp

Download
memory/2040-116-0x0000000000000000-mapping.dmp

Download
memory/2804-115-0x0000000000920000-0x0000000000A2A000-memory.dmp

Filesize
1.0MB

Download
memory/3592-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads