Analysis
-
max time kernel
26s -
max time network
28s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 18:50
Static task
static1
Behavioral task
behavioral1
Sample
Muisvc(unpacked).exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Muisvc(unpacked).exe
Resource
win10-en-20210920
General
-
Target
Muisvc(unpacked).exe
-
Size
1.0MB
-
MD5
dee33a5b0f93ffbf6c5da9e376b89c9b
-
SHA1
e5c0415345340ccec55c6e79503296a846db7a70
-
SHA256
b654cc6156b8cb72642d97672847401552bf72b208d52047b2697612ef3107d1
-
SHA512
9ff39cbd360eca2adafd44f60064da2b6d7e1961599ef28de97d0582725d02c4a81e6429e2a9d33f389d175fb12136d190fd4d2188a44d50d02b2f1fede241c8
Malware Config
Extracted
C:\odt\058684-readme.html
Signatures
-
Avaddon
Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.
-
suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
suricata: ET MALWARE Win32/Avaddon Ransomware Style External IP Address Check
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Muisvc(unpacked).exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EnableConfirm.tiff Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\EnableConfirm.tiff => C:\Users\Admin\Pictures\EnableConfirm.tiff.avdn Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\ExpandSave.crw => C:\Users\Admin\Pictures\ExpandSave.crw.avdn Muisvc(unpacked).exe File opened for modification C:\Users\Admin\Pictures\ExportExpand.tiff Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\NewHide.crw => C:\Users\Admin\Pictures\NewHide.crw.avdn Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\ExportExpand.tiff => C:\Users\Admin\Pictures\ExportExpand.tiff.avdn Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\GrantJoin.png => C:\Users\Admin\Pictures\GrantJoin.png.avdn Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\InvokeUndo.crw => C:\Users\Admin\Pictures\InvokeUndo.crw.avdn Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\PingFind.tif => C:\Users\Admin\Pictures\PingFind.tif.avdn Muisvc(unpacked).exe File renamed C:\Users\Admin\Pictures\SaveDeny.png => C:\Users\Admin\Pictures\SaveDeny.png.avdn Muisvc(unpacked).exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Muisvc(unpacked).exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Muisvc(unpacked).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Muisvc(unpacked).exe" Muisvc(unpacked).exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run Muisvc(unpacked).exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Muisvc(unpacked).exe" Muisvc(unpacked).exe -
Processes:
Muisvc(unpacked).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Muisvc(unpacked).exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
Muisvc(unpacked).exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2481030822-2828258191-1606198294-1000\desktop.ini Muisvc(unpacked).exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Muisvc(unpacked).exedescription ioc process File opened (read-only) \??\Y: Muisvc(unpacked).exe File opened (read-only) \??\E: Muisvc(unpacked).exe File opened (read-only) \??\G: Muisvc(unpacked).exe File opened (read-only) \??\T: Muisvc(unpacked).exe File opened (read-only) \??\V: Muisvc(unpacked).exe File opened (read-only) \??\W: Muisvc(unpacked).exe File opened (read-only) \??\X: Muisvc(unpacked).exe File opened (read-only) \??\B: Muisvc(unpacked).exe File opened (read-only) \??\I: Muisvc(unpacked).exe File opened (read-only) \??\U: Muisvc(unpacked).exe File opened (read-only) \??\Z: Muisvc(unpacked).exe File opened (read-only) \??\Q: Muisvc(unpacked).exe File opened (read-only) \??\R: Muisvc(unpacked).exe File opened (read-only) \??\A: Muisvc(unpacked).exe File opened (read-only) \??\F: Muisvc(unpacked).exe File opened (read-only) \??\H: Muisvc(unpacked).exe File opened (read-only) \??\J: Muisvc(unpacked).exe File opened (read-only) \??\K: Muisvc(unpacked).exe File opened (read-only) \??\M: Muisvc(unpacked).exe File opened (read-only) \??\L: Muisvc(unpacked).exe File opened (read-only) \??\N: Muisvc(unpacked).exe File opened (read-only) \??\O: Muisvc(unpacked).exe File opened (read-only) \??\P: Muisvc(unpacked).exe File opened (read-only) \??\S: Muisvc(unpacked).exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.myip.com 9 api.myip.com 16 api.myip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1544 vssadmin.exe 1008 vssadmin.exe 1716 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Muisvc(unpacked).exepid process 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe 2804 Muisvc(unpacked).exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exevssvc.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 2040 wmic.exe Token: SeSecurityPrivilege 2040 wmic.exe Token: SeTakeOwnershipPrivilege 2040 wmic.exe Token: SeLoadDriverPrivilege 2040 wmic.exe Token: SeSystemProfilePrivilege 2040 wmic.exe Token: SeSystemtimePrivilege 2040 wmic.exe Token: SeProfSingleProcessPrivilege 2040 wmic.exe Token: SeIncBasePriorityPrivilege 2040 wmic.exe Token: SeCreatePagefilePrivilege 2040 wmic.exe Token: SeBackupPrivilege 2040 wmic.exe Token: SeRestorePrivilege 2040 wmic.exe Token: SeShutdownPrivilege 2040 wmic.exe Token: SeDebugPrivilege 2040 wmic.exe Token: SeSystemEnvironmentPrivilege 2040 wmic.exe Token: SeRemoteShutdownPrivilege 2040 wmic.exe Token: SeUndockPrivilege 2040 wmic.exe Token: SeManageVolumePrivilege 2040 wmic.exe Token: 33 2040 wmic.exe Token: 34 2040 wmic.exe Token: 35 2040 wmic.exe Token: 36 2040 wmic.exe Token: SeBackupPrivilege 396 vssvc.exe Token: SeRestorePrivilege 396 vssvc.exe Token: SeAuditPrivilege 396 vssvc.exe Token: SeIncreaseQuotaPrivilege 3592 wmic.exe Token: SeSecurityPrivilege 3592 wmic.exe Token: SeTakeOwnershipPrivilege 3592 wmic.exe Token: SeLoadDriverPrivilege 3592 wmic.exe Token: SeSystemProfilePrivilege 3592 wmic.exe Token: SeSystemtimePrivilege 3592 wmic.exe Token: SeProfSingleProcessPrivilege 3592 wmic.exe Token: SeIncBasePriorityPrivilege 3592 wmic.exe Token: SeCreatePagefilePrivilege 3592 wmic.exe Token: SeBackupPrivilege 3592 wmic.exe Token: SeRestorePrivilege 3592 wmic.exe Token: SeShutdownPrivilege 3592 wmic.exe Token: SeDebugPrivilege 3592 wmic.exe Token: SeSystemEnvironmentPrivilege 3592 wmic.exe Token: SeRemoteShutdownPrivilege 3592 wmic.exe Token: SeUndockPrivilege 3592 wmic.exe Token: SeManageVolumePrivilege 3592 wmic.exe Token: 33 3592 wmic.exe Token: 34 3592 wmic.exe Token: 35 3592 wmic.exe Token: 36 3592 wmic.exe Token: SeIncreaseQuotaPrivilege 1056 wmic.exe Token: SeSecurityPrivilege 1056 wmic.exe Token: SeTakeOwnershipPrivilege 1056 wmic.exe Token: SeLoadDriverPrivilege 1056 wmic.exe Token: SeSystemProfilePrivilege 1056 wmic.exe Token: SeSystemtimePrivilege 1056 wmic.exe Token: SeProfSingleProcessPrivilege 1056 wmic.exe Token: SeIncBasePriorityPrivilege 1056 wmic.exe Token: SeCreatePagefilePrivilege 1056 wmic.exe Token: SeBackupPrivilege 1056 wmic.exe Token: SeRestorePrivilege 1056 wmic.exe Token: SeShutdownPrivilege 1056 wmic.exe Token: SeDebugPrivilege 1056 wmic.exe Token: SeSystemEnvironmentPrivilege 1056 wmic.exe Token: SeRemoteShutdownPrivilege 1056 wmic.exe Token: SeUndockPrivilege 1056 wmic.exe Token: SeManageVolumePrivilege 1056 wmic.exe Token: 33 1056 wmic.exe Token: 34 1056 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Muisvc(unpacked).exedescription pid process target process PID 2804 wrote to memory of 2040 2804 Muisvc(unpacked).exe wmic.exe PID 2804 wrote to memory of 2040 2804 Muisvc(unpacked).exe wmic.exe PID 2804 wrote to memory of 2040 2804 Muisvc(unpacked).exe wmic.exe PID 2804 wrote to memory of 1544 2804 Muisvc(unpacked).exe vssadmin.exe PID 2804 wrote to memory of 1544 2804 Muisvc(unpacked).exe vssadmin.exe PID 2804 wrote to memory of 1544 2804 Muisvc(unpacked).exe vssadmin.exe PID 2804 wrote to memory of 3592 2804 Muisvc(unpacked).exe wmic.exe PID 2804 wrote to memory of 3592 2804 Muisvc(unpacked).exe wmic.exe PID 2804 wrote to memory of 3592 2804 Muisvc(unpacked).exe wmic.exe PID 2804 wrote to memory of 1008 2804 Muisvc(unpacked).exe vssadmin.exe PID 2804 wrote to memory of 1008 2804 Muisvc(unpacked).exe vssadmin.exe PID 2804 wrote to memory of 1008 2804 Muisvc(unpacked).exe vssadmin.exe PID 2804 wrote to memory of 1056 2804 Muisvc(unpacked).exe wmic.exe PID 2804 wrote to memory of 1056 2804 Muisvc(unpacked).exe wmic.exe PID 2804 wrote to memory of 1056 2804 Muisvc(unpacked).exe wmic.exe PID 2804 wrote to memory of 1716 2804 Muisvc(unpacked).exe vssadmin.exe PID 2804 wrote to memory of 1716 2804 Muisvc(unpacked).exe vssadmin.exe PID 2804 wrote to memory of 1716 2804 Muisvc(unpacked).exe vssadmin.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Muisvc(unpacked).exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Muisvc(unpacked).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Muisvc(unpacked).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" Muisvc(unpacked).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Muisvc(unpacked).exe"C:\Users\Admin\AppData\Local\Temp\Muisvc(unpacked).exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1008-119-0x0000000000000000-mapping.dmp
-
memory/1056-120-0x0000000000000000-mapping.dmp
-
memory/1544-117-0x0000000000000000-mapping.dmp
-
memory/1716-121-0x0000000000000000-mapping.dmp
-
memory/2040-116-0x0000000000000000-mapping.dmp
-
memory/2804-115-0x0000000000920000-0x0000000000A2A000-memory.dmpFilesize
1.0MB
-
memory/3592-118-0x0000000000000000-mapping.dmp